Stay Safe

Cybersecurity Alerts

For your safety, we provide a curated list of crucial cybersecurity alerts to help safeguard your organization against cyber-attacks.

RSS Feed

critical

"FortiBleed" — Massive Credential Leak Exposes ~75,000 Fortinet Firewall Devices

Updated: June 22nd, 2026

Category: Fortinet

Source: HudsonRock

Overview

A large-scale credential theft campaign — now dubbed "FortiBleed" — has resulted in the exposure of administrator usernames and plaintext passwords for approximately 75,000 Fortinet firewall and VPN devices worldwide. The Canadian Centre for Cyber Security (CCCS) has issued a formal alert and is urging Canadian organizations to act immediately. Independent security researcher Kevin Beaumont has confirmed the data is authentic, noting that the dataset represents roughly half of all internet-facing Fortinet firewall devices globally. Canada has 810 devices listed in the dataset.

This is not a software vulnerability with a patch — it is a confirmed credential exposure event. Organizations using Fortinet FortiGate firewalls or VPN gateways should act immediately, regardless of patch level.


What You Need to Know

  • What it is: Attackers obtained configuration files from Fortinet FortiGate firewall devices — likely by exploiting the devices directly — and cracked the administrator password hashes contained within those files. The resulting plaintext credentials were collected into a structured database that is now circulating among criminal groups.
  • Why it matters: An attacker with valid admin credentials can log directly into your firewall, bypass all its security controls, create hidden backdoor accounts, and access your internal network as a trusted administrator. Multiple organizations across several countries have already been fully compromised.
  • Who is affected: Organizations worldwide running Fortinet FortiGate firewalls or VPN gateways with management interfaces exposed to the internet. Canada has 810 devices in the dataset. Affected sectors include IT services, telecommunications, financial services, government, healthcare, education, and construction.
  • Exploitation status: Active and confirmed. Multiple full network compromises have been verified, including a NATO-affiliated defence contractor. Kevin Beaumont independently verified credentials for several organizations listed in the dataset.
  • Why complex passwords did not help: Fortinet began improving how it stores admin passwords in early 2025, moving to a stronger format (PBKDF2). However, this upgrade only took effect if administrators actively logged in after applying the firmware update. Many devices continued using an older, more crackable format (SHA-256 with salt). Attackers broke these using a dedicated 45-GPU cracking cluster. A complex password stored in a weaker format is just as vulnerable as a simple one.
  • How this compares to the 2025 Belsen Group leak: The 2025 Belsen Group Fortinet leak involved 15,000 devices and was traced to a 2022 vulnerability. This dataset is largely different, more recent, and nearly five times larger. The exact method used to obtain the configuration files has not yet been confirmed.
  • No official Fortinet advisory has been published as of the date of this alert.

Affected Products

  • Devices: ~73,932 unique FortiGate firewall/VPN URLs across 194 countries
  • Domains: 21,387 unique affected domains
  • Canada: 810 devices in the dataset (25th highest globally)
  • Top affected sectors: IT services, telecommunications, financial services, government services, healthcare, education, manufacturing, construction
  • Common condition: Management interface exposed to the public internet

Recommended Actions

Canadian Centre for Cyber Security Guidance

  1. Inventory all accounts on your Fortinet devices. Identify and immediately disable or remove any unauthorized or suspicious accounts — the CCCS specifically flags accounts named forticloud-sync and forticloud-tech as indicators of possible backdoor access.

  2. Restrict access to management interfaces to trusted internal networks and specific hosts only.

  3. Terminate all active SSL VPN and administrative sessions immediately.

  4. Reset passwords for all Fortinet VPN and administrative accounts.

  5. Enforce multi-factor authentication (MFA) on all administrator accounts and external VPN gateways. MFA requires a second verification step beyond a password and would neutralize stolen credentials even if passwords are compromised.

  6. Ensure all Fortinet devices are running the latest firmware. The CCCS specifically recommends checking for patches related to:

    • CVE-2024-55591 (privilege escalation — allows attackers to gain high-level system access)
    • CVE-2025-59718 and CVE-2025-59719 (authentication bypass — allows attackers to skip login controls entirely)
  7. Review and implement the CCCS Top 10 IT Security Actions, with emphasis on:

    • Consolidate, monitor, and defend internet gateways
    • Patch operating systems and applications
    • Enforce the management of administrative privileges
    • Harden operating systems and applications
  8. Report suspected activity to the CCCS via My Cyber Portal or by emailing [email protected].


Notes

  • The root cause of the configuration file theft has not been confirmed. It may involve one or more known Fortinet CVEs, a new undisclosed vulnerability, or another method. Monitor Fortinet's PSIRT advisory page for updates: https://www.fortiguard.com/psirt
  • This is a credential exposure event, not a traditional software vulnerability. Even fully patched devices may be affected if their configurations were previously stolen.
  • The attacker database categorizes victims by company type, revenue, and employee count — consistent with criminal groups packaging compromised credentials for sale as initial access.

Additional Resources

Canadian Centre for Cyber Security — Alert AL26-014

 

critical

Avada Builder Vulnerability Could Lead to Full WordPress Site Takeover

Updated: June 22nd, 2026

Category: WordPress

Source: Wordfence

Overview

A critical security flaw in the Avada Builder WordPress plugin — active on approximately one million sites — allows attackers to delete core files on the web server without logging in. Deleting a key WordPress configuration file can effectively wipe the site's setup, allowing an attacker to take full control and run malicious code. No active exploitation has been confirmed yet, but the vulnerability is rated critical and Wordfence considers it a strong candidate for imminent exploitation. A patch is available and should be applied immediately.


What You Need to Know

  • What it is: A path traversal flaw — meaning the plugin fails to properly restrict which files can be targeted — in Avada Builder's form cleanup feature. An attacker can submit a specially crafted form entry that tricks the plugin into deleting any file on the server, not just form-related files.
  • Why it matters: Deleting WordPress's core configuration file (wp-config.php) causes the site to enter its initial setup state. An attacker can then point the site at a database they control, install malicious code, and achieve full remote access to the server.
  • Who is affected: WordPress sites running Avada Builder (also known as Fusion Builder) version 3.15.3 or older that have at least one published Avada form configured to save entries to the database.
  • Exploitation status: No active exploitation confirmed as of June 18, 2026. However, Wordfence considers this a strong exploitation candidate given its critical severity and the simplicity of the attack.
  • Patch status: Fully patched version (3.15.4) released June 2, 2026. Update immediately.
  • Important clarification: The attack does not require any administrator interaction. Once a qualifying form exists on the site, an unauthenticated visitor can trigger the exploit entirely on their own.

Affected Products

Plugin and Versions:

  • Avada (Fusion) Builder versions 3.15.3 and older

Condition required for exploitation:

  • At least one published Avada form configured to save form submissions to the database

Fixed Version:

  • Avada (Fusion) Builder 3.15.4 (released June 2, 2026)

Vendor Guidance

(from Wordfence and Avada)

  1. Update Avada Builder to version 3.15.4 immediately via your WordPress dashboard under Plugins → Updates.

  2. If you cannot patch immediately, review your published Avada forms and temporarily disable any forms that are configured to save entries to the database. This removes the condition required for exploitation.


Notes

  • No active exploitation has been confirmed at the time of publication. The patch has been available since June 2, 2026.
  • The CVSS score is 9.1 (Critical). No user interaction or authentication is required to exploit this vulnerability.
  • The attack targets Avada Builder's form privacy cleanup feature — a component many administrators may not know is active on their site.

Additional Resources

Wordfence Advisory

CVE-2026-8713

medium

Gravity SMTP WordPress Plugin Under Mass Exploitation

Updated: June 22nd, 2026

Category: WordPress

Source: Wordfence

Overview

A vulnerability in the Gravity SMTP WordPress plugin is being actively exploited at massive scale. The flaw allows anyone on the internet—without logging in—to extract sensitive configuration data from affected sites, including API keys, email service credentials, and detailed server information. Over 17 million exploitation attempts have been blocked by Wordfence alone. A patch has been available since March 17, 2026; sites that have not yet updated should do so immediately.


What You Need to Know

  • What it is: A misconfigured REST API endpoint (a publicly accessible URL built into the plugin) that returns a full system report—including credentials and configuration details—to anyone who requests it, no login required.
  • Why it matters: Attackers can silently harvest live email service credentials and detailed site intelligence in a single request, with no trace of modification left on the site. Stolen credentials can be used to send email impersonating your organization, and the leaked system details help attackers identify further vulnerabilities on your site.
  • Who is affected: WordPress sites running Gravity SMTP version 2.1.4 or older, across approximately 100,000 active installations.
  • Exploitation status: Active mass exploitation confirmed. Over 17 million attempts blocked by Wordfence; single-day peak of 4 million attempts on June 7, 2026.
  • Patch or mitigation status: Fully patched version (2.1.5) has been available since March 17, 2026. Update immediately.
  • Important clarification: Despite its medium CVSS severity rating of 5.3, the practical business impact is significantly higher due to confirmed mass exploitation and the potential exposure of live third-party credentials.

Affected Products

Plugin and Versions:

  • Gravity SMTP versions 2.1.4 and older (all versions)

Fixed Version:

  • Gravity SMTP 2.1.5 (released March 17, 2026)

Vendor Guidance

(from Wordfence)

  1. Update Gravity SMTP to version 2.1.5 immediately via your WordPress dashboard under Plugins → Updates.

  2. If you were running a vulnerable version and had any email integrations configured, assume your API keys, secrets, and OAuth tokens may have been exposed. Rotate all affected credentials immediately through each email service provider's dashboard (Amazon SES, Google, Mailjet, Resend, Zoho, or whichever service you use).

  3. Review your web server access logs for requests to:
    /wp-json/gravitysmtp/v1/tests/mock-data?page=gravitysmtp-settings
    Any such requests—especially from the IP addresses listed below—indicate exploitation attempts against your site.

  4. If you use Wordfence, confirm you are running version 2.1.5 or later of the plugin and that firewall rules are current. Free Wordfence users received firewall protection for this issue on June 4, 2026.


Indicators of Compromise (IoCs)

Because this vulnerability exposes data silently via a read-only request, it does not modify your site—meaning there may be no obvious signs of exploitation. Wordfence recommends the following checks:

Suspicious endpoint in access logs:

  • Requests to /wp-json/gravitysmtp/v1/tests/mock-data?page=gravitysmtp-settings
    This is the specific URL attackers use to pull credentials. Any hit on this endpoint from an unknown IP should be treated as an exploitation attempt.

Top attacking IP addresses to check logs for and block:

  • 45.148.10.95
  • 193.32.162.60
  • 176.65.148.139
  • 173.199.90.188
  • 45.148.10.120
  • 185.8.107.155
  • 185.8.106.37
  • 185.8.106.92
  • 185.8.106.145
  • 176.65.148.30

If any of these IPs appear in your logs alongside the endpoint above, your site was targeted. If you were running a vulnerable version at the time, treat your email integration credentials as compromised and rotate them immediately.


Notes

  • Active exploitation is confirmed at very high volume. The heaviest activity was recorded June 7–11, 2026.
  • No authentication is required to exploit this vulnerability — a single HTTP request is sufficient.
  • The CVSS score of 5.3 (Medium) understates the practical risk given confirmed mass exploitation and credential exposure.

Additional Resources

Wordfence Advisory

Bleeping Computer

critical

WordPress ShapedPlugin Pro Compromised in Supply Chain Attack

Updated: June 22nd, 2026

Category: WordPress

Source: Wordfence

Overview

Three paid WordPress plugins from ShapedPlugin were compromised in a supply chain attack—meaning the attacker infiltrated the vendor's own build and distribution system, then used it to push malware-laced updates to paying customers through the official update channel. The malware installs a hidden backdoor that steals credentials, two-factor authentication secrets, payment data, and database access keys. Infected updates were live from May 21 to June 12, 2026.


What You Need to Know

  • What it is: Attackers breached ShapedPlugin's build pipeline—the system used to package and distribute plugin updates—and injected malicious code into Pro plugin releases before they reached customers.
  • Why it matters: Because the malware arrived through a trusted, official update channel, standard security practices (keeping plugins up to date) would not have protected against infection. Sites that updated during the exposure window may be compromised.
  • Who is affected: WordPress site owners who purchased and updated any of the three affected Pro plugins between May 21 and June 12, 2026.
  • Exploitation status: Active. The malware was confirmed in the wild. The exposure window ran approximately three weeks before patches were issued.
  • Patch or mitigation status: Clean versions are now available. However, patching alone is not sufficient—infected sites require active cleanup and full credential rotation.
  • Important clarification: Free versions of ShapedPlugin plugins hosted on WordPress.org were not affected. Only paid Pro plugins distributed through the vendor's own update system were compromised.

Affected Products

Compromised plugins (paid/Pro versions only):

  • Product Slider Pro for WooCommerce — versions before 3.5.4
  • Real Testimonials Pro — version 3.2.5
  • Smart Post Show Pro — versions before 4.0.2

Not affected:

  • Free plugin versions hosted on WordPress.org
  • Sites that did not update these plugins between May 21 and June 12, 2026

Fixed versions:

  • Product Slider Pro for WooCommerce 3.5.4
  • Real Testimonials Pro 3.2.6
  • Smart Post Show Pro 4.0.2

Vendor Guidance

(from Wordfence and ShapedPlugin)

  1. Update all three affected plugins to their fixed versions immediately.

  2. Check for fake WooCommerce plugins installed on your site—look for folders named:

    • wp-content/plugins/woocommerce-subscription/
    • wp-content/plugins/woocommerce-notification/
      These are not legitimate WooCommerce plugins. If found, your site is infected.
  3. Reset all passwords on your WordPress site, including all administrator and user accounts.

  4. Regenerate two-factor authentication (2FA) secrets for all users. Two-factor authentication adds a second verification step beyond a password—if those secrets were stolen, attackers may be able to bypass that protection entirely.

  5. Rotate database credentials and regenerate WordPress authentication keys and salts (found in wp-config.php).

  6. Review your user list for any unauthorized administrator accounts that may have been added.

  7. Check SMTP and email plugin settings for unauthorized changes to outgoing mail credentials.


Indicators of Compromise (IoCs)

The following are technical markers that indicate a site may be or has been infected. If your IT team or security provider identifies any of these, treat your site as compromised and act immediately.

  • Malicious loader file: LicenseLoader.php
    (SHA-256: 0e17c869d3e4586d4c160041042bd15123c2a37117a98a995fae885f0f4417fc)
    This file was injected into the plugin packages and acts as the entry point for the attack.

  • C2 server IP: 194.76.217.28 on port 2871
    (C2, or command-and-control, is a server operated by the attacker to receive stolen data and send instructions)

  • Credential theft domain: generate.2faplugin.org
    (Stolen credentials and 2FA secrets were sent to this domain)

  • Fake plugin directories:

    • wp-content/plugins/woocommerce-subscription/
    • wp-content/plugins/woocommerce-notification/
  • Suspicious database entries in WordPress options table:

    • theme_options_scripts
    • wc_nf_install_done

If you identify any of these on your site, assume full compromise—rotate all credentials, review all user accounts, and consider engaging a WordPress security specialist.


Notes

  • Active exploitation is confirmed. The infection window ran from May 21 to approximately June 12, 2026.
  • This attack targeted 2FA secrets specifically, meaning standard multi-factor authentication protections may have been bypassed on affected sites.
  • This is the second major WordPress plugin supply chain incident in a short period, following a similar breach of OptinMonster via a CDN compromise.
  • CVE-2026-10735 is the primary tracking identifier; CVE-2026-49777 was submitted as a duplicate.

Additional Resources

Wordfence PSA

Bleeping Computer

critical

Critical Splunk Enterprise Vulnerability Under Active Exploitation

Updated: June 19th, 2026

Category: Splunk

Source: Splunk

Overview

A critical security flaw in Splunk Enterprise is being actively exploited by attackers. The vulnerability (CVE-2026-20253) allows remote attackers to run malicious code on affected systems without needing any username or password. CISA has directed U.S. federal agencies to patch by Sunday, June 21, 2026.


What You Need to Know

  • What it is: A missing authentication check in Splunk's PostgreSQL sidecar service—a component that handles database connections. Attackers can send specially crafted requests to this endpoint to execute commands on the server.
  • Why it matters: Attackers can fully control affected systems over the network, potentially stealing data, deploying malware, or disrupting operations. The flaw is "pre-authentication," meaning no login credentials are needed.
  • Who is affected: Organizations running Splunk Enterprise versions 10.0.0 through 10.0.6 and 10.2.0 through 10.2.3.
  • Exploitation status: Confirmed active exploitation in the wild as of June 18, 2026. Proof-of-concept exploit code is publicly available.
  • Patch or mitigation status: Patches are available (versions 10.0.7 and 10.2.4). A workaround (disabling PostgreSQL sidecar) is available but may disrupt data processing features.
  • Important clarifications: This affects enterprise deployments of Splunk, not personal or smaller-scale installations. However, over 1,400 internet-exposed Splunk instances have been identified, with 952 in North America.

Affected Products

Products and Versions:

  • Splunk Enterprise 10.0.0 through 10.0.6
  • Splunk Enterprise 10.2.0 through 10.2.3

Not Affected:

  • Splunk Enterprise versions prior to 10.0.0
  • Splunk Cloud Platform (managed by Splunk)
  • Fixed versions: 10.0.7 and 10.2.4

Vendor Guidance

  1. Patch immediately to Splunk Enterprise 10.0.7 or 10.2.4 (or later versions).

  2. If patching is not immediately possible, disable the PostgreSQL sidecar service:

    • Navigate to Settings → Server → System in Splunk Web
    • Find the PostgreSQL sidecar setting and disable it
    • Note: This will break Edge Processor, OpAmp, and SPL2 data pipelines. Plan accordingly.
  3. If Splunk is exposed to the internet, evaluate and restrict network access to trusted IPs only. Disable public access if possible.


Indicators of Compromise (IoCs)

The Splunk advisory and WatchTowr research identify the following concerning patterns:

  • Unexpected POST requests to the PostgreSQL sidecar endpoint
  • Creation or modification of unexpected files on the Splunk server
  • Unusual processes spawned by the Splunk user

If you observe these, investigate immediately and consider engaging incident response support.


Additional Resources

Splunk Security Advisory (SVD-2026-0603)

WatchTowr Technical Analysis

high

Actively Exploited Chrome Zero-Day: Update Your Browser Now (CVE-2026-11645)

Updated: June 12th, 2026

Category: Chrome

Source: Google

Overview

Google has released an emergency security update for Chrome to fix a high-severity zero-day vulnerability that is being actively exploited in the wild. The flaw allows an attacker to execute malicious code inside a user's browser by simply directing them to a crafted webpage — no download or login is required.

The fix is available now and can be applied in under a minute using Chrome's built-in update feature. Update Chrome immediately.

This is the fifth Chrome zero-day exploited in attacks so far in 2026.


What You Need to Know

  • CVE-2026-11645 is a high-severity flaw in Chrome's V8 JavaScript engine — the component responsible for running JavaScript code on virtually every website you visit
  • The vulnerability is caused by an out-of-bounds read and write weakness, meaning the browser can be tricked into reading or writing data outside the memory area it is supposed to access. This type of flaw can expose sensitive information, cause the browser to crash, or allow an attacker to run malicious code
  • Exploitation requires only that the target visits a malicious or compromised webpage — no file download, no login, and no further interaction is needed
  • The flaw can also be used to bypass ASLR (Address Space Layout Randomization) — a built-in memory protection feature in modern operating systems — making it easier for attackers to chain this vulnerability with others for deeper system compromise
  • CVSS score: 8.8 HIGH (CISA-ADP)
  • Google has confirmed active exploitation — an exploit exists in the wild. No details about specific threat actors or targeted victims have been disclosed
  • CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on June 9, 2026, with US federal agencies required to remediate by June 23, 2026. For Canadian organizations, this serves as a strong prioritization signal
  • The patched versions are:
    • Windows: 149.0.7827.102 or later
    • Mac: 149.0.7827.103 or later
    • Linux: 149.0.7827.102 or later

Affected Products

  • Google Chrome on Windows, macOS, and Linux — all versions prior to 149.0.7827.103
  • Chromium-based browsers (Microsoft Edge, Brave, Opera, Vivaldi, and others) share the same underlying engine and are likely affected — check for updates from each vendor separately

Vendor Guidance

(From Google)

  • Update Chrome immediately. Chrome typically updates automatically in the background, but you should verify and manually trigger the update:

    • Open Chrome
    • Click the three-dot menu (⋮) in the top-right corner
    • Click Help → About Google Chrome
    • Chrome will automatically check for and install any available update
    • Click Relaunch when prompted to complete the installation
    • Your version should show 149.0.7827.102 (Windows/Linux) or 149.0.7827.103 (Mac) or higher
  • If you use other Chromium-based browsers (Microsoft Edge, Brave, Opera, Vivaldi, etc.), check for updates in each browser's settings — they each release their own security patches on their own schedules

  • For organizations managing Chrome across multiple devices: Deploy the update through your patch management or endpoint management platform as soon as possible. CISA's remediation deadline of June 23, 2026 is a useful benchmark for prioritization


Notes

  • This is the fifth Chrome zero-day exploited in attacks in 2026 — a pattern that warrants keeping automatic updates enabled in Chrome at all times
  • Google has not disclosed details about who is being targeted or which threat actors are behind the active exploitation. Additional details are typically withheld until most users have updated
  • Chrome's automatic update feature is enabled by default. Users who have not disabled it may already be protected — but confirming your version number as above is the only way to be certain

Additional Resources

critical

Critical Vulnerability in Veeam Backup & Replication

Updated: June 12th, 2026

Category: Veeam

Source: Veeam

Overview


Veeam has released an emergency security patch for a critical vulnerability in Veeam Backup & Replication (VBR) — one of the most widely used backup platforms in the world, deployed by over 550,000 organizations globally. The flaw allows any authenticated domain user — even one with only basic, low-level access — to remotely execute malicious code on the backup server and take full control of it.

Backup servers are among the most valuable targets in a ransomware attack. Attackers who compromise a backup server can steal sensitive data, move freely through the network, and destroy or encrypt backups — eliminating an organization's ability to recover without paying a ransom. Veeam backup servers have been a consistent, high-priority target for ransomware gangs for several years.

A patch is available now and should be applied immediately.


What You Need to Know

  • CVE-2026-44963 is rated Critical with a CVSS v4 score of 9.4 out of 10
  • The vulnerability allows an attacker with any authenticated domain account — including a standard low-privilege user account — to remotely execute code on the VBR backup server and gain full control of it
  • This vulnerability only affects domain-joined VBR installations — backup servers that are members of a Windows Active Directory domain. Standalone (non-domain-joined) servers are not vulnerable
  • Veeam's own long-standing best practice guidance explicitly recommends against joining backup servers to the production domain — however, many organizations do so anyway for convenience, making them vulnerable
  • No active exploitation has been confirmed at the time of publication. However, Veeam warns that attackers routinely begin developing exploits immediately after a patch is released, using the patch itself as a roadmap to the vulnerability
  • Veeam Backup & Replication version 13.x is not affected due to architectural changes introduced in that version
  • This is the fifth critical domain-joined RCE vulnerability patched in VBR version 12 since early 2025 — a pattern that strongly reinforces Veeam's own guidance that production-domain-joined backup servers represent a significant and recurring risk

Affected Products

  • Veeam Backup & Replication 12.3.2.4465 and all earlier version 12 builds (12, 12.1, 12.2, 12.3.0, 12.3.1, 12.3.2 prior to 4854)
  • Older unsupported versions are not formally tested but are considered likely vulnerable
  • Not affected: Veeam Backup & Replication version 13.x (any build)
  • Not affected: Non-domain-joined VBR installations

Vendor Guidance

(From Veeam KB4869 and KB4696)

  • Update to Veeam Backup & Replication 12.3.2.4854 immediately. This build, released June 8–9, 2026, resolves CVE-2026-44963. Update options:

    • If you are running build 12.3.2.3617, 12.3.2.4165, or 12.3.2.4465 — apply the patch ISO or EXE available from Veeam (smaller download, for patching existing 12.3.2 deployments only)
    • If you are running an earlier version (12, 12.1, 12.2, 12.3.0, or 12.3.1) — use the full upgrade ISO
    • Note: a reboot may be required after installation. Plan accordingly
    • Check your current build number in the VBR Console under the main menu (≡) → Help → About
    • See Veeam KB4696 for download links and upgrade instructions
  • Review whether your VBR server is domain-joined, and consider whether that configuration is still necessary. Veeam's official Security Best Practice Guide states that the most secure deployment keeps VBR components in a separate management workgroup or a separate Active Directory forest — not in your production domain. Joining VBR to the production domain has been the source of five critical RCE vulnerabilities in the past 18 months. See Veeam's Workgroup or Domain guidance for details


Notes

  • Ransomware groups including Akira, Fog, Frag, Cuba, and FIN7-linked operations have previously exploited similar critical VBR vulnerabilities. CISA has added four separate VBR flaws to its Known Exploited Vulnerabilities catalog in recent years — this product line is a proven, high-value ransomware target
  • The recurring nature of critical domain-joined RCE vulnerabilities in VBR version 12 — five in 18 months — is a strong signal that domain membership for backup servers represents a structural risk that patching alone cannot fully address
  • Organizations running unsupported versions of VBR should treat this as an urgent prompt to upgrade, as older builds are considered likely vulnerable but will not receive targeted patches

Additional Resources

medium

Windows 10 June 2026 Security Update (KB5094127)

Updated: June 12th, 2026

Category: Microsoft

Source: Microsoft

Overview

Microsoft has released the June 2026 security update for Windows 10 as KB5094127, bringing affected devices to build 19045.7417 (version 22H2) or 19044.7417 (version 21H2).

This update is only available to organizations running Windows 10 Enterprise LTSC or those enrolled in Microsoft's Extended Security Update (ESU) program — the paid program that provides continued patches for Windows 10 after its mainstream support ended in October 2025.

The update delivers the June 2026 Patch Tuesday security fixes — including patches for three publicly disclosed Windows zero-days (covered separately in the June 2026 Windows Zero-Days alert). It also introduces some quality improvements and one notable change that may cause cosmetic display issues for some users. Separately, Microsoft has warned of a known issue where certain devices with BitLocker enabled may be prompted for a recovery key after installing recent updates — details below.


What You Need to Know

Security Content

  • Includes all security fixes from the June 2026 Patch Tuesday cycle — 200+ CVEs addressed, including patches for the GreenPlasma, MiniPlasma, and YellowKey zero-days (see the separate June 2026 Windows Zero-Days alert for details)
  • Also includes fixes carried forward from the May 12, 2026 update (KB5087544)

Secure Boot Certificate Updates

  • This update introduces improved tracking of Secure Boot status in the Windows Security app — the built-in security dashboard — so administrators and users can more easily see whether Secure Boot is enabled and functioning
  • Microsoft is in the process of rolling out new Secure Boot certificates to replace ones expiring this month. This update adds infrastructure to help target which devices receive those new certificates, using a controlled phased rollout
  • A new Group Policy option (LimitSecureBootRequiredServiceData) is available for organizations that want to limit Secure Boot diagnostic data sent to Microsoft

Folder Icon Display Issue (Desktop.ini Hardening)

  • This update introduces a security hardening change to how Windows processes a hidden system file called desktop.ini — a file Windows uses to apply custom icons and localized names to certain folders
  • As a result of this change, some users may notice that custom folder icons or localized folder names no longer appear for folders downloaded from the internet or stored on network/remote locations
  • Access to the folders themselves is not affected — files are not lost or blocked. This is a display-only issue
  • IT administrators should expect user inquiries about "missing" folder icons after this update is deployed. Microsoft has published a separate support article on this: Custom folder icons or localized folder names might not appear after installing the June 2026 Windows security update

BitLocker Recovery Prompt — Known Issue

  • Microsoft has disclosed a known issue where some IT-managed devices may be prompted to enter their BitLocker recovery key on the first restart after installing this update
  • BitLocker is Windows' built-in drive encryption feature. A recovery prompt means the device requires a 48-digit recovery key to finish starting up — without it, the device cannot be accessed
  • This is a one-time event. Once the recovery key is entered, subsequent restarts will not trigger the prompt again — as long as the Group Policy configuration remains unchanged
  • This issue is unlikely to affect personal or home devices. Microsoft confirms it only affects devices where all five of the following conditions are true at the same time:
    • BitLocker is enabled on the operating system drive
    • The Group Policy setting "Configure TPM platform validation profile for native UEFI firmware configurations" is explicitly configured with PCR7 included — or the equivalent registry key is set manually
    • System Information (msinfo32.exe) reports Secure Boot State PCR7 Binding as "Not Possible"
    • The Windows UEFI CA 2023 certificate is present in the device's Secure Boot Signature Database
    • The device is not already running the 2023-signed Windows Boot Manager
  • Microsoft is working on a permanent fix. A workaround is available — see Recommended Actions below

Affected Products

  • Windows 10 Version 22H2 (Build 19045.7417) — ESU subscribers
  • Windows 10 Version 21H2 / Enterprise LTSC 2021 (Build 19044.7417) — ESU subscribers and LTSC users
  • BitLocker known issue affects only a specific subset of the above, as described by the five conditions listed

For All Windows 10 ESU / LTSC Organizations

  • Install KB5094127 as soon as practical. The security content — including three publicly disclosed zero-days — warrants prompt patching. Go to Settings → Windows Update → Check for Updates, or deploy through your patch management tool

BitLocker Precautions — Before Installing

  • Enterprise IT teams should audit BitLocker Group Policy settings before deploying this update. Specifically, check whether "Configure TPM platform validation profile for native UEFI firmware configurations" is explicitly configured with PCR7 included, and verify PCR7 Binding status on potentially affected devices using System Information (msinfo32.exe)
  • Ensure BitLocker recovery keys are accessible before deploying the update to any device. Recovery keys may be stored in:
    • Microsoft account: https://account.microsoft.com/devices/recoverykey
    • Azure Active Directory / Microsoft Entra ID (retrievable via the IT admin portal)
    • A USB drive or printed copy created at setup
    • Your organization's IT management platform (e.g., Intune / Microsoft Endpoint Manager)
  • If your devices meet the conditions for the known issue, or if a recovery prompt appears after installation, follow Microsoft's official workaround steps in the KB5094127 known issues section — see Additional Resources below

For IT Helpdesks — Folder Icon Issue

  • Inform your team that users may report missing folder icons or folder names, particularly for content synced from cloud storage, downloaded from the internet, or stored on network shares. This is cosmetic only and does not affect file access. Refer to the Microsoft support article in Additional Resources below

Notes

  • The BitLocker known issue does not affect personal or home devices in typical configurations — Microsoft explicitly notes that all five triggering conditions are unlikely to occur together outside of IT-managed enterprise environments
  • Organizations running standard Windows 10 without ESU enrollment are no longer receiving any security updates. Migration to Windows 11 should be treated as an active priority
  • The security vulnerability content is covered in the separate June 2026 Windows Zero-Days alert (GreenPlasma, YellowKey, MiniPlasma)

 

high

Three Windows Zero-Days Patched — June 2026 Patch Tuesday

Updated: June 12th, 2026

Category: Microsoft

Source: Microsoft

Overview

Microsoft's June 2026 Patch Tuesday update — covering 206 vulnerabilities in total — includes patches for three Windows zero-days that were publicly disclosed before fixes were available. All three were released by a security researcher using the handle "Nightmare Eclipse" in a dispute over Microsoft's vulnerability disclosure process.

Two of the vulnerabilities — GreenPlasma and MiniPlasma — allow an attacker who is already on a Windows machine to gain full SYSTEM-level control — the highest level of access on a Windows system. The third — YellowKey — allows someone with physical access to a device to bypass BitLocker, Windows' built-in drive encryption. Patches for all three are included in the June 9, 2026 Patch Tuesday update.

Separately, two earlier zero-days from the same researcher (BlueHammer and RedSun) are now confirmed to be actively exploited in real-world attacks. Organizations that have not yet applied recent Windows updates should prioritize doing so.


What You Need to Know

GreenPlasma — CVE-2026-45586

  • A privilege escalation flaw in the Windows Collaborative Translation Framework (CTFMON) — a background Windows component that handles text input across applications
  • Allows a local attacker with basic user-level access to gain SYSTEM privileges — full control of the machine
  • Publicly disclosed before a patch was available; no confirmed active exploitation as of the advisory date
  • Microsoft rates exploitation as More Likely — meaning it considers this flaw likely to be used in attacks in the near term
  • CVSS score: 7.8 — rated Important

YellowKey — CVE-2026-45585

  • A security feature bypass in the Windows Recovery Environment (WinRE) — the special mode Windows boots into for repair and recovery
  • Allows an attacker with physical access to the device to bypass BitLocker drive encryption and access encrypted data
  • BitLocker is the Windows feature commonly used to protect data on lost or stolen laptops and devices
  • Proof-of-concept exploit code is publicly available
  • Important: If your organization uses TPM+PIN as the BitLocker unlock method, this vulnerability is not exploitable on your devices
  • Microsoft has provided a temporary mitigation script and confirms it has no impact on normal system operation — it does not need to be reversed after the June 2026 patch is installed
  • First disclosed May 19, 2026; patch released June 9, 2026
  • CVSS score: 6.8 — rated Important

MiniPlasma — CVE-2020-17103

  • A privilege escalation flaw in the Windows Cloud Files Mini Filter Driver — a component related to cloud-synced file storage
  • This CVE was originally patched in December 2020, but Microsoft has re-released it with June 2026 updates to "comprehensively address" the vulnerability, which was recently re-publicized under the MiniPlasma name
  • No confirmed active exploitation; exploit code maturity is rated as Unproven and exploitability as Less Likely
  • CVSS score: 7.0 — rated Important

Affected Products

GreenPlasma (CVE-2026-45586):

  • Windows 10 (versions 21H2, 22H2, 1607, 1809)
  • Windows 11 (versions 23H2, 24H2, 25H2, 26H1)
  • Windows Server 2012, 2012 R2, 2016, 2019, 2022, 2025

YellowKey (CVE-2026-45585):

  • Windows 11 (versions 24H2, 25H2, 26H1)
  • Windows Server 2025

MiniPlasma (CVE-2020-17103):

  • Windows 10 (multiple versions) and Windows 11 (versions 23H2, 24H2, 25H2, 26H1)
  • Windows Server 2019, 2025

Vendor Guidance

(From Microsoft MSRC)

  • Apply the June 2026 Windows Security Updates as soon as possible. All three vulnerabilities are addressed in the standard monthly update. Use Windows Update, Microsoft Update Catalog, or your organization's patch management process. See the Additional Resources section for KB article links

  • For YellowKey (CVE-2026-45585) — apply the interim mitigation script if patching is not immediately possible. Microsoft has published a PowerShell script in the official advisory that removes the vulnerable component from the WinRE environment. Microsoft confirms this has no impact on service availability or management operations, and that the security update will maintain the mitigation's behavior once installed — you do not need to reverse the mitigation after patching. See the YellowKey MSRC advisory for the full script and instructions

  • For YellowKey — consider enabling TPM+PIN for BitLocker if your organization has devices that leave the office or could be physically accessed by unauthorized individuals. Microsoft confirms that if TPM+PIN is in use, this vulnerability is not exploitable. See Microsoft's BitLocker documentation for guidance on configuring this setting


Notes

  • None of the three vulnerabilities covered in this alert have confirmed active exploitation as of the advisory dates. However, two earlier zero-days from the same researcher — BlueHammer (CVE-2026-33825) and RedSun — are now actively exploited, which raises the risk profile for this series overall
  • A fourth zero-day — "RoguePlanet" — was released by the same researcher within hours of the June patches dropping. It is not covered in this alert and has no patch as of the date of this publication. Monitor Microsoft's Security Update Guide for further developments
  • GreenPlasma and MiniPlasma both require local access — an attacker must already be on the machine. They are not remote entry points on their own, but are commonly used as a second step after an initial compromise

Additional Resources

high

Actively Exploited Zero-Day Patched in Microsoft Exchange Server

Updated: June 12th, 2026

Category: Microsoft

Source: Microsoft

Overview

Microsoft has patched an actively exploited zero-day vulnerability — CVE-2026-42897 — in on-premises Microsoft Exchange Server. The flaw affects Outlook Web Access (OWA), the browser-based version of Outlook used to access Exchange email.

An attacker can exploit this vulnerability by sending a specially crafted email to a target. If the recipient opens that email in Outlook Web Access, malicious JavaScript code can execute in their browser — without the attacker needing any credentials or special access. This type of attack is known as cross-site scripting (XSS) — meaning an attacker injects malicious code that runs inside a trusted application, in this case your email interface, using the victim's own session.

The vulnerability was first disclosed on May 14, 2026, at which point Microsoft deployed an automatic temporary mitigation. A full security patch was released on June 9, 2026, as part of the June 2026 Exchange Server Security Updates. Organizations running affected Exchange versions should install the patch as soon as possible and keep the temporary mitigation in place as an additional layer of protection.

Exchange Online (Microsoft 365) is not affected.


What You Need to Know

  • What it is: A cross-site scripting vulnerability in Outlook Web Access that lets an attacker run malicious code in a victim's browser by sending them a specially crafted email
  • Some user interaction is required — the recipient must open the email in OWA. However, simply opening the email is sufficient if interaction conditions are met; no further clicks or downloads are needed
  • No attacker credentials are required — any remote attacker can send the malicious email
  • CVSS score is 8.1 — rated Critical by Microsoft
  • Active exploitation is confirmed — CISA added this to its Known Exploited Vulnerabilities catalog on May 15, 2026
  • This was a zero-day — it was exploited in attacks before a full patch was available
  • A temporary mitigation was deployed automatically on May 14, 2026 via Microsoft's Exchange Emergency Mitigation Service (EEMS), which is enabled by default on supported Exchange versions
  • The full patch is now available as of June 9, 2026 — Microsoft strongly recommends installing it immediately and keeping the temporary mitigation in place afterward
  • Do not use Internet Explorer or Microsoft Edge in Internet Explorer Mode to access OWA — the temporary mitigation does not protect users on these browsers. Use a modern browser
  • Applying the June 2026 update does not automatically remove the existing mitigation — Microsoft recommends leaving it in place. If you choose to remove it, follow the specific steps in the Exchange Team blog
  • Important: If the June 2026 update is not installed, your Exchange server will stop receiving new EEMS emergency mitigations from July 2026 onward due to a service-side certificate change. Any mitigations already applied will continue to work, but no new ones can be delivered until you update

Affected Products

  • Microsoft Exchange Server 2016 — Cumulative Update 23
  • Microsoft Exchange Server 2019 — Cumulative Update 14 and Cumulative Update 15
  • Microsoft Exchange Server Subscription Edition (SE) — RTM

Vendor Guidance

(From Microsoft MSRC, the Microsoft Exchange Team, and CISA)

  • (From Microsoft MSRC, the Microsoft Exchange Team, and CISA)

    • Install the June 2026 Exchange Server Security Updates as soon as possible. Microsoft states this explicitly and strongly. Use the Exchange Server Health Checker script to confirm which servers need updating, and the Exchange Update Wizard for update path guidance. After installation, reboot the server and verify all Exchange services have started correctly

    • Install the update on all Exchange servers and Exchange Management Tools workstations in your environment, including servers used only for management purposes

    • Keep the existing EEMS temporary mitigation in place after applying the patch. Microsoft recommends it remain active as an additional layer of defense. Known issues caused by the mitigation (such as OWA calendar print and inline image display problems) will be resolved once the June 2026 update is installed and the mitigation is removed — but Microsoft recommends waiting before removing it

    • Verify that the Exchange Emergency Mitigation Service (EEMS) is enabled on your Exchange server. EEMS is on by default. To confirm the CVE-2026-42897 mitigation (ID: M2.1.x) has been applied, follow the steps in Viewing Applied Mitigations, or run the Exchange Health Checker script and review the EEMS section of the HTML report

    • If your Exchange server cannot use EEMS (for example, if it is in a disconnected environment with no internet access), apply the mitigation manually using the Exchange On-premises Mitigation Tool (EOMT) available at https://aka.ms/UnifiedEOMT. Refer to the Exchange Team blog for full instructions

    • Organizations in Hybrid mode (Exchange on-premises connected to Exchange Online): Exchange Online is already protected, but the June 2026 update must still be installed on your on-premises Exchange servers. If you change the authentication certificate after installing the update, re-run the Hybrid Configuration Wizard


Notes

  • Exchange 2016 and 2019 are out of mainstream support. Organizations still running these versions who are not enrolled in the Period 2 ESU program have no path to this patch and should prioritize migration to Exchange SE
  • Exchange Server has a significant exploitation history — CISA has added 20 Exchange vulnerabilities to its KEV catalog over the past five years, 14 linked to ransomware campaigns

Additional Resources

 

critical

Critical Zero-Day Vulnerability in Oracle PeopleSoft

Updated: June 12th, 2026

Category: Oracle

Source: Oracle

Overview

Oracle has issued an emergency security alert for a critical zero-day vulnerability — CVE-2026-35273 — in Oracle PeopleSoft PeopleTools, the underlying platform that powers PeopleSoft enterprise applications. The flaw allows an attacker on the internet to take full control of a vulnerable system without needing a username or password and without any action from a user.

This vulnerability was already being actively exploited before Oracle issued its advisory. The extortion group ShinyHunters has claimed responsibility for a wave of attacks using this flaw, stating they have stolen data from more than 100 organizations across approximately 300 PeopleSoft instances. Mandiant and Google's threat intelligence team have confirmed the exploitation and linked it directly to this CVE.

The higher education sector is the primary target — 68 percent of the more than 100 organizations notified by Mandiant are universities or colleges. Canadian post-secondary institutions running PeopleSoft should treat this as an immediate priority.

Oracle has released emergency mitigations. A full patch is expected but not yet available as of the advisory date.


What You Need to Know

  • What it is: A critical security flaw in Oracle PeopleSoft PeopleTools that lets an attacker remotely take full control of the system — no password required, no user action needed
  • The vulnerable component is the Updates Environment Management Hub (PSEMHUB) — an administrative and system-to-system component, not a standard user-facing part of PeopleSoft
  • CVSS score is 9.8 out of 10 — near-maximum severity, rated Critical by Oracle
  • This was a zero-day — meaning it was exploited in real attacks before Oracle was aware of it or had released a fix. Oracle's advisory was published June 10, 2026; Mandiant observed attacks beginning May 27, 2026
  • Exploitation is actively confirmed by Mandiant, Google Threat Intelligence Group, and corroborated by BleepingComputer reporting. Oracle's advisory does not explicitly confirm active exploitation but Oracle has not responded to press inquiries on this point
  • ShinyHunters is a well-known extortion group with a track record of large-scale data theft from enterprise platforms. After stealing data, they demand ransom to prevent its public release. They have previously targeted Snowflake, Salesforce, and the Instructure Canvas learning platform
  • Data stolen includes sensitive organizational data. PeopleSoft is commonly used to manage HR, payroll, finance, and student administration — the kind of data that carries significant privacy and regulatory implications if exposed
  • No full patch is available yet — Oracle has issued emergency mitigations only. Applying them is urgent
  • Exploitation does not require the system to be publicly internet-facing in its entirety — the specific vulnerable endpoints need to be reachable, which Mandiant's guidance addresses

Affected Products

  • Oracle PeopleSoft Enterprise PeopleTools, version 8.61
  • Oracle PeopleSoft Enterprise PeopleTools, version 8.62
  • Oracle notes that PeopleSoft Enterprise Applications customers running on top of PeopleTools may also be affected
  • Oracle also notes that versions no longer under Premier or Extended Support have not been tested, but earlier versions are likely also vulnerable

Vendor Guidance

(From Oracle's Security Alert Advisory CVE-2026-35273 and Mandiant / Google Threat Intelligence Group)

Apply Oracle's emergency mitigations immediately. Detailed mitigation instructions are available in Oracle's Patch Availability Document (Oracle Support login required):

Restrict access to the vulnerable endpoints at your network perimeter or firewall. Mandiant specifically recommends blocking external network access to:

  • /PSEMHUB/* (specifically /PSEMHUB/hub)
  • /PSIGW/HttpListeningConnector

Mandiant notes this is a non-breaking action — these are administrative components and are not required for normal user-facing PeopleSoft browser sessions

Review your logs for suspicious activity targeting those endpoints. Look for HTTP POST requests to /PSEMHUB/hub and /PSIGW/HttpListeningConnector coming from external or untrusted IP addresses

Check your systems for signs of compromise. Mandiant advises auditing PeopleSoft web-tier servers for:

  • Unexpected .jsp files in WebLogic application directories (these may be webshells — malicious files that give attackers ongoing remote access)
  • Unauthorized files or folders in the PSEMHUB transaction staging directory
  • Unexpected directories named logspersistantstorage, or scratchpad under PSEMHUB folders
  • Recently created or modified .xml files in the environment data directory, which attackers may use to maintain access or trigger further compromise after a system restart

If you believe your system may already be compromised, Mandiant recommends beginning incident response immediately, which may include engaging a third-party security team for forensic investigation

Apply all available Oracle Critical Patch Updates and Security Alerts without delay. Oracle strongly recommends remaining on actively supported PeopleTools versions to ensure access to security fixes


Indicators of Compromise (IoCs)

Mandiant and independent security researcher "Michael R" have published the following indicators associated with this campaign. If any of these are found in your logs or network traffic, treat your system as potentially compromised and begin incident response immediately.

What these are: IP addresses used by the attackers to host their attack tools and communicate with compromised systems, a domain name used to disguise malicious activity as legitimate Microsoft services, and files associated with the attack.

What to do if you see them: Review your firewall, network, and PeopleSoft access logs for any connections to or from these addresses. If found, do not wait — contact your IT security team or an incident response provider.

Attacker IP addresses (staging and command-and-control infrastructure):

  • 142.11.200.186
  • 142.11.200.187
  • 142.11.200.188
  • 142.11.200.189
  • 142.11.200.190
  • 108.174.202.99 (identified by independent researcher; also associated with this campaign)
  • 176.120.22.24 (hosts the ShinyHunters public data leak site)

Attacker domain:

  • azurenetfiles.net — a domain designed to look like a legitimate Microsoft Azure service, used by attackers to communicate with compromised systems

Files to look for on your systems:

  • README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT — an extortion note dropped by attackers onto compromised servers
  • meshagent32-azure-ops.exemeshagent64-azure-ops.exemeshagent64-v2.exe — Windows remote management agent files used by attackers, disguised as Azure services
  • Any script named with a victim organization abbreviation followed by _fanout.sh — a lateral movement script used to spread access across internal systems

A full IoC collection including file hashes is available via the Mandiant / Google Threat Intelligence report (VirusTotal GTI collection for registered users).


Notes

  • Active exploitation is confirmed by Mandiant and Google Threat Intelligence Group, predating Oracle's advisory by two weeks
  • Oracle's own advisory does not explicitly confirm active exploitation, but Oracle has not publicly addressed press inquiries on this point
  • Higher education is the primary target — 68% of known victims are universities and colleges. Canadian post-secondary institutions running PeopleSoft should treat this as urgent
  • PeopleSoft holds highly sensitive data — HR records, payroll, student information, and financial data — making a breach here particularly serious from a privacy and regulatory standpoint

Additional Resources

Google Threat Intelligence

Bleeping Computer

critical

Critical Vulnerability in Ivanti Sentry

Updated: June 12th, 2026

Category: Ivanti

Source: Ivanti

Overview

Ivanti has released emergency patches for two critical vulnerabilities in Ivanti Sentry (formerly known as MobileIron Sentry), a security gateway appliance used by organizations to manage and secure mobile device access to corporate systems.

The more severe of the two flaws — CVE-2026-10520 — allows an attacker on the internet to run commands on the device with full system (root) privileges, without needing a password or any interaction from users. The second flaw — CVE-2026-10523 — allows an attacker to create their own administrator accounts on the device, again without authentication.

Both vulnerabilities are rated Critical. CVE-2026-10520 has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning there is confirmed evidence of active exploitation attempts. Patches are available now. If your organization runs Ivanti Sentry and has not yet applied the update, this should be treated as an immediate priority.


What You Need to Know

  • What it is: Two critical security flaws in Ivanti Sentry that can allow an outsider to fully take over the device — without needing a username, password, or any action from your staff
  • CVE-2026-10520 is an OS command injection flaw — meaning an attacker can send specially crafted commands through the network to take full control of the system. It carries the maximum possible severity score of 10.0
  • CVE-2026-10523 is an authentication bypass — meaning an attacker can skip the login process entirely and create their own administrator accounts with full access. It carries a CVSS score of 9.9
  • Who is affected: Organizations running Ivanti Sentry versions 10.7.0 and earlier, 10.6.1 and earlier, and 10.5.1 and earlier
  • Exploitation status: CISA confirmed active exploitation attempts and added CVE-2026-10520 to its Known Exploited Vulnerabilities catalog on June 11, 2026. Exploitation attempts have been observed in the wild, including against internet-exposed management interfaces. A public proof-of-concept (a working attack demonstration) is also now publicly available, which lowers the skill level needed to exploit this flaw
  • Important clarification: Ivanti states it has no confirmed evidence of exploitation against customer production systems as of the advisory's latest update (June 12, 2026). CISA's KEV addition is based on observed exploitation attempts against honeypots — decoy systems used to detect attacker activity. However, Shadowserver (an independent internet security watchdog) warns that internet-exposed Sentry management interfaces that remain unpatched should be treated as potentially compromised
  • Risk is highest when the management port (port 8443) is exposed to the internet. Ivanti's own documentation states this port should never be publicly accessible. If your environment follows that guidance, your exposure to CVE-2026-10520 is significantly reduced — but patching is still required
  • Patches are available for all affected versions. There is no workaround that replaces patching

Affected Products

  • Ivanti Sentry (formerly MobileIron Sentry)
    • Version 10.7.0 and earlier → Fixed in 10.7.1
    • Version 10.6.0 – 10.6.1 → Fixed in 10.6.2
    • Version 10.5.1 and earlier → Fixed in 10.5.2

Vendor Guidance

(From Ivanti's official security advisory and CISA's KEV alert)

  • Apply the patch immediately. Update your Ivanti Sentry appliance to version 10.5.2, 10.6.2, or 10.7.1, depending on your current version. Updates are available through the Ivanti download portal (login required) or from within the NMDM admin console under Admin > Infrastructure > Sentry
  • Ensure the Sentry management interface (port 8443) is not exposed to the internet. Ivanti explicitly states this interface should never be publicly accessible, regardless of patch status. Verify your firewall and network configuration enforces this
  • If patching is not immediately possible, CISA directs organizations to follow BOD 26-04 guidance or discontinue use of the product
  • If you believe your system may have been compromised before patching, Ivanti advises contacting their support team through the Ivanti Innovators Hub. There are currently no publicly known indicators of compromise (IoCs) that would help identify a breach
  • CISA encourages all organizations — not just U.S. federal agencies — to prioritize patching of vulnerabilities listed in the KEV catalog as part of a risk-based approach to vulnerability management

Notes

  • No user interaction is required to exploit either vulnerability
  • Active exploitation attempts are confirmed by CISA. Full confirmed exploitation of production customer systems has not been publicly verified by Ivanti as of June 12, 2026, but the risk remains high given the public proof-of-concept and CISA's KEV designation
  • The three-day patch deadline (by June 14, 2026) applies to U.S. federal civilian agencies under CISA's Binding Operational Directive (BOD) 26-04. Canadian organizations are not bound by this directive, but the underlying risk and urgency apply equally
  • This is one of 35 vulnerabilities CISA has flagged across Ivanti products over recent years, 12 of which have been linked to ransomware activity

Additional Resources

Ivanti Advisory

CISA Alert

critical

Kirki Plugin Flaw Lets Attackers Hijack WordPress Admin Accounts

Updated: June 5th, 2026

Category: WordPress

Source: Wordfence

Overview

A critical unauthenticated privilege escalation vulnerability has been discovered in the Kirki — Freeform Page Builder, Website Builder and Customizer plugin for WordPress, affecting versions 6.0.0 through 6.0.6. Tracked as CVE-2026-8206, the flaw allows any unauthenticated attacker to take over any user account on an affected WordPress site — including administrator accounts — by exploiting a flaw in the plugin's password reset process.

A patch is available. WordPress site owners and administrators running a vulnerable version of Kirki should update to version 6.0.7 immediately. Active exploitation has been confirmed, with Wordfence blocking over 200 attacks against its customers in the past 24 hours.


What You Need to Know

  • What it is: A flaw in the Kirki plugin's password reset functionality allows an unauthenticated attacker to request a password reset for any user account on the site — including administrator accounts — and have the reset link delivered to an email address the attacker controls. The attacker can then use that link to set a new password and take full control of the account.
  • What Kirki is: A widely used WordPress plugin for visual page building and theme customization, active on more than 500,000 websites. The vulnerability was introduced in version 6.0.0 and affects approximately 150,000 sites running a vulnerable version.
  • Who can exploit it: Any unauthenticated remote attacker. No credentials, no prior access, and no user interaction are required.
  • What an attacker can do after gaining admin access: Install malicious plugins, create new administrator accounts, modify or deface site content, deploy persistent backdoors or web shells, and access private databases and user data.
  • Active exploitation is confirmed. Wordfence has blocked over 200 attacks targeting this vulnerability against its customers in the past 24 hours alone.
  • A patch is available. Version 6.0.7 of the Kirki plugin, released May 18, 2026, fully addresses this vulnerability. All sites running versions 6.0.0 through 6.0.6 should update immediately.
  • CVSS score: 9.8 Critical (CVSS 3.1).
  • Broader context: Two additional vulnerabilities in the Kirki plugin affecting the same version range (CVE-2026-8073 and CVE-2026-8096, rated 7.5 and 6.5 respectively) were also disclosed in May 2026. Updating to version 6.0.7 addresses all three.

Affected Products

  • Kirki — Freeform Page Builder, Website Builder and Customizer plugin for WordPress, versions 6.0.0 through 6.0.6
  • Affects any WordPress site with the Kirki plugin installed and active at a vulnerable version — estimated approximately 150,000 sites
  • Sites running Kirki versions prior to 6.0.0 are not affected by this specific vulnerability

Per Wordfence Threat Intelligence and the Kirki plugin developer (Themeum):

  • Update the Kirki plugin to version 6.0.7 or later immediately. This is the only complete fix. Log in to your WordPress dashboard, navigate to Plugins, and update Kirki if it is installed and active. Verify the installed version after updating.
  • If you cannot immediately update, disable the Kirki plugin as a temporary measure to remove the attack surface entirely until the update can be applied.
  • After updating, review your site's user accounts — particularly administrator accounts — for any unauthorized additions, changes, or suspicious login activity that may indicate a compromise occurred prior to patching.
  • If you manage WordPress sites on behalf of clients or your organization, treat this as a priority update across all affected installations.

Notes

  • Active exploitation is confirmed as of June 1, 2026, with attacks already observed in the wild.
  • The attack requires no credentials or user interaction, making mass exploitation straightforward for even low-sophistication attackers.
  • The vulnerability was responsibly disclosed by security researcher CHOIGYEONGMIN through the Wordfence Bug Bounty Program. Themeum responded promptly and released a fix within two days of receiving full disclosure.

Additional Resources

Wordfence Threat Intelligence Advisory

Wordfence Blog

critical

Two Maximum Severity Zero-Days in Acer Wave 7 Routers

Updated: June 5th, 2026

Category: Acer

Source: Acer

Overview

Acer has disclosed two maximum severity zero-day vulnerabilities affecting its Wave 7 mesh routers. Both vulnerabilities can be exploited remotely by an unauthenticated attacker — no credentials or user interaction required. The first allows an attacker to retrieve plaintext login credentials stored in a log file accessible through the router's web interface. The second allows an attacker to decrypt, modify, and re-encrypt router backups using a hardcoded encryption key built into the device firmware, enabling persistent backdoor injection into the device.

No security patches are currently available. Acer is working on a firmware update targeted for release by the end of June 2026. Until then, Acer advises users to disable remote management or restrict internet remote access to trusted IP addresses only.


What You Need to Know

  • What they are: Two separate vulnerabilities — one that exposes login credentials to any unauthenticated attacker who can reach the device's web interface, and one that allows an attacker to manipulate router backups to implant a persistent backdoor.
  • Who can exploit them: Any unauthenticated remote attacker. No credentials or user interaction are required for either vulnerability.
  • CVE-2026-49200 — Credential Exposure: A log file on the router is accessible without authentication through the web interface. This file contains plaintext login credentials for the web administration interface and Telnet, giving an attacker immediate unauthorized access to the device.
  • CVE-2026-49201 — Persistent Backdoor Injection: The router's backup processing function uses a hardcoded AES encryption key embedded in the firmware. Because this key is fixed and cannot be changed, any attacker who knows it can decrypt any backup file, modify it to include malicious content, re-encrypt it, and restore it to the device — effectively installing a backdoor that persists across reboots and may survive a factory reset if a tampered backup is restored.
  • No patch is available. Acer has confirmed that firmware fixes are in development and targeted for deployment by the end of June 2026. The Acer advisory page should be monitored for updates.
  • Both vulnerabilities are rated CVSS 10.0 — maximum severity.
  • Risk is highest for devices with remote management enabled and the management interface exposed to the internet. Disabling remote management significantly reduces exposure.
  • Affects all Acer Wave 7 routers running firmware version T7c_GBL_1.01.000055 or earlier.

Affected Products

  • Acer Wave 7 mesh routers running firmware version T7c_GBL_1.01.000055 or earlier
  • Risk is highest for devices with remote management enabled or the web administration interface accessible from the internet

Notes

  • This is a vulnerability in consumer/prosumer network hardware — not enterprise infrastructure. However, these devices may be in use by remote workers connecting to corporate networks, making them relevant to organizational security posture.
  • No active exploitation has been confirmed at this time. However, with both vulnerabilities rated maximum severity and technical details now publicly available, the window before exploitation attempts is potentially short.
  • CVE-2026-49201's persistent backdoor risk is particularly serious: if a tampered backup is restored to the device, a factory reset alone may not remove an attacker's access. Organizations supporting remote workers should emphasize the importance of applying the firmware update as soon as it is released.

Additional Resources

Acer Security Advisory

critical

Critical Cisco Unified Communications Manager Flaw

Updated: June 5th, 2026

Category: Cisco

Source: Cisco

Overview

Cisco has released security updates to address a critical vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME). The vulnerability, tracked as CVE-2026-20230, allows an unauthenticated remote attacker to write files to the underlying operating system and ultimately escalate to root — the highest level of system control — without requiring any credentials or user interaction.

Cisco has rated this vulnerability Critical, overriding the base CVSS score, specifically because of the root escalation potential. Proof-of-concept exploit code is publicly available, meaning the barrier for attackers to attempt exploitation is significantly lowered. Cisco is not aware of active exploitation at this time, but the availability of public exploit code makes prompt action essential.

Patches are available. Organizations that cannot immediately patch have a mitigation option: disabling the WebDialer service, which is the specific component the vulnerability affects.


What You Need to Know

  • What it is: A server-side request forgery (SSRF) vulnerability — an attacker can send a specially crafted HTTP request to a vulnerable system to write files to the operating system, which can then be used to gain root-level control.
  • What Cisco Unified CM is: The central control system for Cisco IP telephony environments, managing call routing, device registration, and telephony features. It is widely deployed across enterprises, healthcare organizations, government agencies, and educational institutions.
  • Who can exploit it: Any unauthenticated remote attacker — no credentials, no prior access, and no user interaction required. The attack requires only that the system is reachable over the network and that the WebDialer service is enabled.
  • WebDialer is disabled by default. This vulnerability only affects systems where the WebDialer service has been explicitly enabled. Organizations that have never enabled WebDialer are not at risk.
  • Public exploit code exists. Cisco PSIRT has confirmed that proof-of-concept exploit code for CVE-2026-20230 is publicly available. Active exploitation has not been confirmed at this time, but the public availability of working exploit code shortens the window before attempts are likely.
  • Patches are available. This advisory is marked Final, meaning fixed software releases are available now for Unified CM release 14, and for release 15 via COP patch or the September 2026 update (15SU5). See the advisory for version-specific details.
  • A mitigation exists for organizations that cannot immediately patch: disabling the WebDialer service fully blocks the attack vector. This is a temporary measure only — Cisco strongly recommends upgrading to a fixed release.
  • No workarounds exist. Disabling WebDialer is described by Cisco as a mitigation, not a workaround — it reduces exposure but does not address the underlying vulnerability.
  • CVSS score: 8.6 Critical (CVSS 3.1), rated Critical by Cisco due to root escalation potential.

Affected Products

  • Cisco Unified Communications Manager (Unified CM), all releases prior to the fixed versions, where the WebDialer service is enabled
  • Cisco Unified Communications Manager Session Management Edition (Unified CM SME), all releases prior to the fixed versions, where the WebDialer service is enabled

Per Cisco Security Advisory:

  • Determine whether WebDialer is enabled on your systems. Instructions for checking WebDialer status are provided in the Cisco advisory. If WebDialer is not enabled, your system is not affected by this vulnerability.
  • If WebDialer is enabled, upgrade to a fixed software release immediately. Fixed releases are available now. Consult the advisory for the appropriate fixed release for your current software version and verify that your hardware and software configuration is supported before upgrading.
  • If you cannot immediately upgrade and WebDialer is enabled, disable the WebDialer service as a temporary mitigation. Cisco cautions that this should be assessed for operational impact before implementation, as disabling WebDialer will affect telephony features that depend on it.
  • Consult the Cisco advisory directly for step-by-step instructions on checking WebDialer status, disabling the service if needed, and upgrading to a fixed release.
  • Organizations without a Cisco service contract who purchased through a third party and cannot obtain a fixed release through their point of sale should contact Cisco TAC directly.

Notes

  • This is a vulnerability in Cisco IP telephony software — not a phishing attack or social engineering campaign.
  • No active exploitation has been confirmed at this time. However, proof-of-concept exploit code is publicly available, which significantly increases the likelihood of exploitation attempts in the near term.
  • Cisco has rated this vulnerability Critical specifically because successful exploitation can result in an attacker gaining root-level control of the system.
  • The vulnerability is only exploitable if WebDialer is enabled. Organizations should verify the status of this service as their first step.
  • This vulnerability was reported by an independent security researcher working with SSD Secure Disclosure.

Additional Resources

Cisco Security Advisory — CVE-2026-20230

high

Zero-Day in Cisco Catalyst SD-WAN Manager Actively Exploited

Updated: June 5th, 2026

Category: Cisco

Source: Cisco

Overview

Cisco has issued an urgent security advisory for an actively exploited, unpatched vulnerability in Cisco Catalyst SD-WAN Manager — the centralized software platform used to manage and monitor wide-area network infrastructure across an organization. The vulnerability, tracked as CVE-2026-20245, allows an attacker with a foothold on the system to escalate their access all the way to root — the highest level of system control — by uploading a specially crafted file.

A patch is not yet available and Cisco has confirmed there are no workarounds. Cisco directly observed limited cases in which exploitation resulted in unauthorized configuration changes being pushed out to connected network devices.

This vulnerability is part of a broader, ongoing pattern of attacks against Cisco Catalyst SD-WAN Manager. Cisco recommends customers upgrade immediately to the software release that addressed a related flaw in May 2026, collect diagnostic files before upgrading, and review logs for signs of compromise.


What You Need to Know

  • What it is: A privilege escalation vulnerability — an attacker who has already gained a limited foothold on the system can use this flaw to take full root-level control of the SD-WAN Manager platform.
  • What SD-WAN Manager is: Network management software that allows IT administrators to monitor and configure up to 6,000 Catalyst SD-WAN devices from a single dashboard. Compromise of this platform can affect an organization's entire managed network.
  • How the attack works: The attacker uploads a crafted file through the command-line interface of SD-WAN Manager. Because user input is not properly validated, the file triggers command injection — meaning the attacker's commands are executed as root.
  • Who can exploit it: An attacker must first have netadmin-level credentials on the affected system. Cisco states that in observed exploitation, attackers obtained these credentials either through valid stolen credentials or by exploiting one of two related actively exploited flaws — CVE-2026-20182 or CVE-2026-20127 — both of which have been used in ongoing attacks against Cisco SD-WAN infrastructure.
  • What exploitation looks like in practice: Cisco observed limited cases where successful exploitation resulted in configuration changes being pushed to edge network devices — meaning attackers used root-level control of the management platform to modify connected network equipment.
  • No patch is available. Cisco has not released a software update that addresses CVE-2026-20245. The advisory is marked Interim, meaning it will be updated as a fix becomes available.
  • No workarounds exist. Cisco explicitly states there are no workarounds that address this vulnerability.
  • Exploitation confirmed: Cisco PSIRT became aware of active exploitation in June 2026 after Mandiant reported the vulnerability.
  • All deployment types are affected, including On-Prem, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP).
  • CVSS score: 7.8 High (CVSS 3.1).
  • Broader context: Over the past several months, Cisco has addressed or flagged five separate Catalyst SD-WAN vulnerabilities as actively exploited in the wild, indicating a sustained and coordinated campaign targeting this platform.

Affected Products

  • Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage), all versions prior to the May 14, 2026 fixed release for CVE-2026-20182
  • All deployment types: On-Prem, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP)
  • Primarily affects enterprises, government agencies, managed service providers, and large organizations running Cisco-managed wide-area networks

Vendor Guidance

(Per Cisco Security Advisory)

  • Before doing anything else, collect admin-tech files. Issue the request admin-tech command from each control component in your SD-WAN deployment before upgrading. These diagnostic files preserve evidence that Cisco TAC will need to assess whether your system has been compromised. Do not upgrade before collecting them.
  • Upgrade to the fixed release published on May 14, 2026 for CVE-2026-20182, as documented in Cisco Security Advisory. While this release does not directly patch CVE-2026-20245, Cisco recommends it as the current best available mitigation because it removes the primary known attack vector used to reach the privilege escalation stage.
  • After upgrading, verify the configuration of your edge devices for any unauthorized changes that may have been pushed during a potential compromise window.
  • Review the scripts.log file at /var/log/scripts.log for entries matching the pattern described in the IoCs section below. Note that Cisco cautions these are legitimate system commands and will not on their own confirm compromise — they must be assessed in the context of your normal network activity.
  • If you suspect compromise, do not rely on the software upgrade alone to resolve the situation. Open a case with Cisco TAC and provide the admin-tech files. Cisco has indicated that specific remediation steps will be provided on a case-by-case basis, and this section of the advisory will be updated as more information becomes available.
  • Monitor the Cisco advisory page for updates as a patch release date has not yet been announced.

Indicators of Compromise

Cisco has published indicators of compromise in its security advisory to help administrators determine whether their Catalyst SD-WAN Manager systems have been affected. Organizations should review the advisory directly for details and, if compromise is suspected, open a case with Cisco TAC before taking any other action.


Notes

  • Active exploitation is confirmed as of June 2026. 
  • No patch and no workaround exist at the time of publication. This advisory is marked Interim and will be updated when a fix is available.
  • Exploitation requires an attacker to already have netadmin-level credentials — this is not a zero-click, unauthenticated remote exploit on its own. However, two other actively exploited Cisco SD-WAN flaws (CVE-2026-20182 and CVE-2026-20127) are being used to obtain those credentials as part of the same attack chain.
  • Cisco has observed limited but confirmed cases where exploitation led to unauthorized changes being pushed to connected network devices — demonstrating that attackers are actively leveraging this access, not merely probing.
  • Organizations running Cisco Catalyst SD-WAN infrastructure should treat this as an active incident risk and review their environments regardless of whether they have observed direct signs of compromise.

Additional Resources

Cisco Security Advisory — CVE-2026-20245

Cisco Security Advisory — CVE-2026-20182

Cisco Security Advisory — CVE-2026-20127

critical

WP Maps Pro Plugin Flaw Lets Attackers Hijack WordPress Sites

Updated: June 1st, 2026

Category: WordPress

Source: Wordfence

Overview

A critical vulnerability in the WP Maps Pro WordPress plugin allows anyone — with no login or credentials — to create a new administrator account on an affected website and gain instant, full control of it. The flaw, tracked as CVE-2026-8732, affects all versions of the plugin up to and including 6.1.0. A patched version, 6.1.1, was released on May 20, 2026, but active exploitation of unpatched sites is now confirmed.

WP Maps Pro is a premium plugin used to embed customizable maps and store locators on WordPress websites. It is commonly used by businesses, real estate sites, travel websites, and directories — many of them small or mid-sized organizations. The plugin has over 15,000 sales.

Wordfence, a leading WordPress security firm, has blocked over 3,600 exploitation attempts in a single 24-hour period. WordPress site owners running this plugin should update immediately.


What You Need to Know

  • What it is: A privilege escalation vulnerability — meaning an attacker can jump from having no access at all to having full administrator-level control of a WordPress site, without any credentials.
  • How it works: The plugin includes a "temporary access" feature intended to let the plugin's support staff log into customer sites to help with troubleshooting. A design flaw left that feature accessible to anyone on the internet, not just authorized support staff. An attacker can trigger it to create a new admin account and receive a login link — no password required.
  • What an attacker can do with admin access: Install malicious plugins, inject hidden backdoors into the site, access private customer data, modify or delete content, deface the website, or use the site as a platform to attack visitors.
  • No credentials required: The attack can be carried out by anyone with internet access. No prior account, login, or knowledge of the site is needed.
  • No user interaction required: The site owner or any visitor does not need to click anything. The attack is carried out entirely through the website's backend.
  • Active exploitation is confirmed: Wordfence has observed and blocked over 3,600 exploitation attempts against affected sites in the 24 hours prior to publication on May 31, 2026.
  • A patch is available: Version 6.1.1 was released on May 20, 2026 and fully resolves the vulnerability.
  • CVSS score: 9.8 Critical, as assigned by Wordfence.

Affected Products

  • WordPress websites running WP Maps Pro version 6.1.0 or earlier
  • The plugin is sold through Envato Market (CodeCanyon) and has over 15,000 sales
  • Typical users include business websites, real estate sites, travel and tourism sites, directories, and any organization using interactive map or store locator features on their WordPress site
  • Sites that have already updated to version 6.1.1 are not affected

Vendor Guidance

(Per Wordfence Security Advisory — CVE-2026-8732)

  • Update WP Maps Pro to version 6.1.1 immediately. This is the patched release and resolves the vulnerability entirely. Log into your WordPress dashboard, go to Plugins, and check for available updates.
  • If your site has already been compromised — for example if you discover unexpected administrator accounts — treat the site as fully compromised. Review all administrator accounts, remove any that were not created by you or your team, check for newly installed plugins or theme modifications, and contact a qualified WordPress security professional if needed.
  • Check your WordPress user list now for any unfamiliar administrator accounts, particularly those with randomly generated usernames beginning with fc_user_ or associated with the email address [email protected]. These are the identifiers used by the malicious accounts this vulnerability creates.

Additional Best Practices

  • If your WordPress site is managed by a web developer or hosting provider, contact them to confirm the plugin has been updated.
  • Wordfence Premium users received firewall protection against this vulnerability on May 18, 2026. Sites using the free version of Wordfence will receive the same firewall rule on June 17, 2026. Firewall protection is a supplementary layer — it does not replace updating the plugin.

Indicators of Compromise

The following indicators are based on the technical details published in the Wordfence advisory. If any of these are present on your site, it may have already been compromised.

Suspicious administrator accounts to look for:

  • WordPress user accounts with usernames beginning with fc_user_ followed by a string of random characters — this is the naming pattern the vulnerability uses to create rogue accounts
  • Any administrator account associated with the email address [email protected] — this is the hardcoded email address written into the vulnerable plugin code and used in all accounts created through this exploit

What to do if you find them: Do not simply delete the account and consider the matter resolved. The presence of a rogue admin account means the attacker has already had full control of your site, potentially long enough to install backdoors or make hidden changes. Delete the unauthorized account, update the plugin immediately, and conduct a full review of recently installed plugins, theme files, and user accounts. If you are not comfortable doing this yourself, engage a WordPress security professional or your hosting provider.


Notes

  • This is a vulnerability in a WordPress plugin — not a phishing attack. No site visitor or owner needs to take any action for the attack to succeed.
  • No user interaction is required. The attack is carried out remotely against the website's backend.
  • Active exploitation is confirmed as of May 31, 2026, with over 3,600 blocked attempts recorded in 24 hours.
  • The vulnerability originated in a built-in vendor support feature, not a standard user-facing function — a reminder that support backdoors in plugins can become significant security liabilities if not properly restricted.
  • Organizations using WordPress with this plugin and no active security monitoring may already have been targeted without knowing it.

Additional Resources

Wordfence Security Advisory

WP Maps Pro on Envato Market

high

Palo Alto GlobalProtect VPN Authentication Bypass — Active Exploitation Confirmed

Updated: June 1st, 2026

Category: Palo Alto

Source: Palo Alto

Overview

Palo Alto Networks has confirmed that attackers are actively exploiting a vulnerability in GlobalProtect, the VPN component used by many organizations to give employees secure remote access to corporate networks. The flaw — tracked as CVE-2026-0257 — allows an attacker with no username or password to forge the digital tokens the VPN uses to recognize returning users, and in some cases use those forged tokens to connect directly to an organization's internal network.

The vulnerability was first patched on May 13, 2026, with an initial severity rating of Medium due to the specific configuration required for exposure. However, after Rapid7 reported confirmed exploitation across multiple customer environments, Palo Alto Networks updated the advisory on May 29 to reflect active attacks and raised its urgency rating to Highest. CISA added the flaw to its Known Exploited Vulnerabilities catalog the same day, ordering federal agencies to remediate by June 1, 2026.

Patches are available. Organizations running GlobalProtect should check whether they are in a vulnerable configuration and update immediately.


What You Need to Know

  • What it is: A flaw in how GlobalProtect handles authentication override cookies — small digital tokens that allow users to reconnect to the VPN without re-entering their credentials each time, similar in concept to a "remember me" session. The flaw allows attackers to forge these tokens without knowing any valid credentials.
  • Why it matters: A successful attacker can authenticate to the GlobalProtect gateway and, in some cases, establish a full VPN connection — gaining access to the internal corporate network as if they were a legitimate remote user.
  • No credentials required: The attack requires no username, password, or prior access to the organization's systems.
  • No user interaction required: This is a network-level vulnerability. No employee needs to click a link or open a file for an attack to succeed.
  • Specific configuration required: Only devices where authentication override cookies are enabled and where the same certificate is used for both the VPN's HTTPS service and the authentication override feature are vulnerable. This is not the default configuration on all devices, but it is a common one. Palo Alto's advisory includes step-by-step instructions for checking whether your deployment is affected.
  • Exploitation is confirmed: Rapid7 observed successful exploitation across multiple customer environments beginning May 17, 2026. Two waves of attacks were detected — one originating from Vultr-hosted infrastructure on May 18, and a second from Dromatics Systems infrastructure on May 21.
  • Partial impact in most cases: In 8 out of 10 affected environments observed by Rapid7, attackers successfully authenticated using forged cookies but could not establish a full VPN session. In the remaining cases, a VPN connection was established and internal network access was granted.
  • No lateral movement observed: Rapid7 did not observe evidence of attackers moving further into affected networks beyond the initial VPN access point.
  • A public proof-of-concept exploit exists: Rapid7 developed and published a working exploit script that demonstrates the full attack path, lowering the technical barrier for other attackers.
  • CISA KEV: Added May 29, 2026. Federal agencies must remediate by June 1, 2026. CISA urges all organizations to treat this as a priority regardless of sector.
  • CVSS score: 7.8 High (CVSS 4.0, as assigned by Palo Alto Networks).
  • Panorama and Cloud NGFW are not affected by this vulnerability.

Affected Products

The vulnerability affects PAN-OS and Prisma Access deployments with GlobalProtect portal or gateway configured, where authentication override cookies are enabled and the same certificate is shared between the HTTPS service and the authentication override feature.

Affected PAN-OS versions by branch:

  • PAN-OS 12.1: versions below 12.1.4-h6 or 12.1.7
  • PAN-OS 11.2: versions below 11.2.4-h17, 11.2.7-h14, 11.2.10-h7, or 11.2.12
  • PAN-OS 11.1: versions below 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, or 11.1.15
  • PAN-OS 10.2: versions below 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, or 10.2.18-h6
  • Prisma Access 11.2: versions below 11.2.7-h13
  • Prisma Access 10.2: versions below 10.2.10-h36
  • All older, unsupported PAN-OS versions

Not affected:

  • Cloud NGFW (all versions)
  • Panorama
  • Devices where authentication override cookies are not enabled

Vendor Guidance

(Per Palo Alto Networks Security Advisory CVE-2026-0257 and CISA)

  • Check whether your deployment is vulnerable by verifying if authentication override cookies are enabled on your GlobalProtect portal or gateway. Palo Alto's advisory provides step-by-step navigation instructions for confirming this in the management interface.
  • Update to a patched version for your PAN-OS branch as listed in the Affected section above. Consult the vendor advisory for the specific recommended target version for your current release.
  • Important post-upgrade note: After applying the patch, users will be required to re-authenticate to GlobalProtect once, even if a valid cookie is present. This is a one-time requirement and is expected behaviour. Normal cookie-based authentication will resume after that initial re-authentication.
  • If immediate patching is not possible, apply one of the following interim mitigations:
    • Use a dedicated certificate for authentication override cookies: Generate a new certificate exclusively for this feature and store it securely. Do not reuse the portal or gateway HTTPS certificate, and do not share this certificate with any other feature or user.
    • Disable authentication override entirely: Uncheck the authentication override options (for generating and accepting cookies) in both the GlobalProtect portal and gateway configuration.
  • Prisma Access customers are being upgraded automatically by Palo Alto Networks according to the schedule communicated to customers. Confirm your upgrade status with your account team if needed.
  • Apply mitigations per vendor instructions, follow CISA BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Indicators of Compromise

The following indicators were published by Rapid7 based on their observed exploitation activity. Rapid7 notes that these are associated with low-cost hosting providers frequently used as attack infrastructure and are subject to change as threat actors rotate their resources.

Attacker source IP addresses observed in exploitation:

  • 104.207.144.154 (first wave, May 18 — hosted on Vultr)
  • 146.19.216.119 (second wave, May 21 — hosted on Dromatics Systems)
  • 146.19.216.120 (second wave, May 21 — hosted on Dromatics Systems)
  • 146.19.216.125 (second wave, May 21 — hosted on Dromatics Systems)

Machine names observed in GlobalProtect authentication logs alongside successful exploitation:

  • GP-CLIENT — seen alongside Linux-based authentications in the first wave (May 17–18)
  • DESKTOP-GP01 — seen alongside Windows-based authentications in the second wave (May 21)

Spoofed MAC address observed in both waves:

  • aa:bb:cc:dd:ee:ff — a placeholder MAC address used in the forged authentication cookies; its presence in GlobalProtect logs strongly suggests exploitation activity

What these mean and what to do: If any of these IP addresses appear in your GlobalProtect authentication logs, or if you see the machine names or MAC address above in connection with unexpected cookie-based logins — particularly to the local administrator account — treat the device as potentially compromised. Isolate the affected appliance if possible and contact your IT security team or managed security provider immediately. Review logs for any VPN sessions that were established following the suspicious authentication events.


Notes

  • This is a vulnerability in Palo Alto Networks PAN-OS software — not a phishing attack. No employee action is required for exploitation.
  • No user interaction is required. The attack is carried out entirely at the network level against the internet-facing VPN appliance.
  • Active exploitation is confirmed as of May 17, 2026, with a second wave observed May 21, 2026.
  • The vulnerable configuration — authentication override cookies enabled with a shared certificate — is not enabled by default on all devices, but is common in practice. Confirm your configuration before assuming you are not affected.
  • public proof-of-concept exploit is now available, meaning the technical barrier for attackers to replicate these attacks is low.
  • Rapid7 observed no lateral movement in affected customer environments at time of reporting, but VPN-level access to an internal network is a significant initial foothold that could be used for further activity.

Additional Resources

Palo Alto Networks Security Advisory

Rapid7 Blog

none

Fake ChatGPT and Claude Pages Used to Deliver Malware

Updated: June 1st, 2026

Category: Malware

Source: Push Security

Overview

A live malware campaign — dubbed "LLMShare" by researchers at Push Security — is abusing the content-sharing features of AI chatbot platforms to trick users into downloading malware. Both ChatGPT and Claude are affected.

The attack begins with a sponsored Google ad targeting people searching for ChatGPT. Clicking the ad takes the victim to a page hosted on chatgpt.com — a real, legitimate OpenAI domain — that displays a  fake outage notice claiming the web version is unavailable due to high traffic, and prompting the user to download the ChatGPT desktop app. The download button redirects to a convincing imitation of ChatGPT's official download page, where both Windows and macOS users are served malware disguised as the ChatGPT application.

This is not a software vulnerability. There is no flaw to patch. The attack relies entirely on deceiving the user — and it is deliberately designed to defeat the instincts most users rely on to spot a scam. The page looks legitimate, and the domain it comes from is legitimate.

This campaign is confirmed active at the time of writing.


What You Need to Know

  • What it is: A social engineering and malvertising campaign — malvertising refers to malware distributed through paid advertisements on search engines. Attackers pay to display fake ads that direct users to malicious content.
  • Why it is unusually convincing: The fake outage page is hosted on chatgpt.com itself, not a lookalike domain. ChatGPT's sharing feature allows anyone to publish rendered web content at a chatgpt.com/s/ URL. Attackers used this to build and host a polished fake outage notice on OpenAI's own domain. Even a careful user who checks the URL before clicking will see a legitimate ChatGPT address.
  • How the attack reaches victims: Sponsored Google ads targeting searches for "chatgpt," "chat gpt," "chatgpt free," and common typos like "chatgo" and "chatgot." Users who click the ad are taken directly to the malicious shared page.
  • What happens if you click the download button: You are redirected to a fake ChatGPT download site at the domain openew[.]app, which closely replicates the appearance of OpenAI's real download page. Separate malicious installers are available for Windows and macOS.
  • What the malware does: The exact payload has not been fully confirmed. Earlier campaigns using the same technique on ChatGPT and Claude delivered infostealers — malware that silently harvests saved passwords, browser session tokens, and credentials stored on the device. Push Security notes that the Windows executable checks whether it is running on a real computer or a virtual machine, a common technique used to avoid detection in security analysis environments.
  • Claude is also being abused: A parallel variant of this campaign uses Claude.ai's conversation-sharing feature to display fake installation guides, attributed to "Apple Support," that instruct macOS users to paste a terminal command that downloads and executes malware. Both ChatGPT and Claude variants are appearing in the wild simultaneously.
  • The site evades automated security scanning: The fake download site uses cloaking — it detects automated scanning tools and displays a harmless, unrelated website to them, while showing the malicious content only to real visitors. This makes the infrastructure harder for threat intelligence services to identify and block.
  • No vendor patch exists: This is an abuse of a legitimate platform feature, not a product vulnerability. There is no software update that resolves this threat.
  • Campaign is ongoing: Push Security confirmed this campaign was still generating detections across customer environments at the time of publication on May 29, 2026.

Affected

  • Any Windows or macOS user who searches for ChatGPT using a search engine and clicks a sponsored advertisement
  • Any user who follows a shared chatgpt.com/s/ or claude.ai/share/ link circulated through this campaign
  • Organizations whose employees use ChatGPT or Claude in the course of their work — including non-technical staff who may be less familiar with how these services are normally accessed
  • Businesses in any sector; Push Security notes that malvertising campaigns can be precisely scoped by geography, job role, and other targeting criteria, meaning the apparent audience can be narrowed to specific industries or regions

Vendor Guidance

No formal security advisory has been issued by OpenAI, Anthropic, or CISA specific to this campaign at the time of publication. The following actions are based on the researcher guidance published by Push Security.

  • Do not download ChatGPT or Claude from any source other than the official vendor websites:
    • ChatGPT desktop app: chatgpt.com/download
    • Claude: claude.ai
  • Do not click sponsored or promoted search results when searching for AI tools. Navigate directly to the official website by typing the address into your browser's address bar.
  • If you have recently downloaded what you believed to be a ChatGPT or Claude installer from a source other than the official site, treat the device as potentially compromised. Change passwords for any accounts accessed on that device, particularly email, banking, and business applications, and contact your IT support team.
  • Be skeptical of any page — even one on a trusted domain — that prompts you to download software. ChatGPT's web version does not display outage notices that require users to download a desktop application to continue.

Additional Best Practices

  • Inform employees who use ChatGPT, Claude, or other AI tools that this campaign is active, and remind them to access these tools only through bookmarked or directly typed URLs — not through search engine ads.
  • Organizations using web filtering or endpoint security tools should confirm whether the known malicious domain openew[.]app is blocked. Note that the campaign rotates infrastructure, so domain-based blocking alone is not a complete defence.

Indicators of Compromise

Push Security published the following indicators observed at the time of their report. They explicitly note that these are short-lived and subject to change as attackers rotate their infrastructure — the absence of these specific indicators in your environment does not mean you are not at risk.

The following are provided for awareness and investigation purposes:

  • Malicious shared ChatGPT page URL: hxxps://chatgpt[.]com/s/cb_6a0f1e6bbec88191aa7fede27163f08d
  • Malicious shared Claude page URL: hxxps://claude[.]ai/share/8e6401b5-4849-46c4-a3cb-29e1c3c49131
  • Fake download site domain: openew[.]app
  • Malicious Windows installer file hash (SHA-256): de8c50e8ccd240ef9d10ec26c26eeb37a4d1cad7c1e0edf3bb6e5689ec2dde78

What these mean and what to do if you see them: If any of these URLs appear in your browser history, web proxy logs, or endpoint telemetry, a user on your network was exposed to this campaign. The presence of the file hash in your environment would indicate the malicious installer was downloaded. In either case, treat the affected device as potentially compromised, isolate it if possible, and contact your IT security team immediately.


Notes

  • This is a social engineering and malware delivery campaign, not a software vulnerability. No patch exists and none will resolve this threat.
  • User action is required for compromise — the victim must click the Google ad, then click the download button, then run the installer. Each step is an opportunity to stop the attack.
  • Active exploitation is confirmed. Push Security observed detections across multiple customer environments at the time of publication.
  • The attack is specifically designed to defeat the most common advice given to users: "check the URL before you click." The URL is genuinely from chatgpt.com.
  • This campaign reflects a broader trend of attackers abusing legitimate platforms — including GitHub, Microsoft, Google, and Cloudflare infrastructure — as delivery and hosting layers, because trusted domains bypass the URL reputation checks that security tools rely on.
  • OpenAI and Anthropic had not issued public statements or advisories specific to this campaign at the time of publication.

Additional Resources

Push Security — LLMShare Research Blog

BleepingComputer 

critical

Critical SQL Injection Vulnerability in Drupal Core — Active Exploitation Underway

Updated: June 1st, 2026

Category: Drupal

Source: Drupal

Overview

A critical security flaw has been discovered and patched in Drupal, one of the world's most widely used website and content management platforms. The vulnerability — tracked as CVE-2026-9082 — allows an attacker with no account or login credentials to send specially crafted requests to a vulnerable Drupal site and inject malicious database commands. This type of attack is known as SQL injection: the attacker manipulates the queries a website sends to its database in order to extract data, modify records, or gain deeper access to the server.

This is a flaw in Drupal's core software — not a plugin or add-on. It requires no user interaction and no authentication to exploit. Active attacks have been confirmed. Organizations running Drupal should treat this as an emergency patching priority. Patches are available now.


What You Need to Know

  • What it is: A SQL injection flaw in Drupal's database abstraction API — the core component that manages how Drupal communicates with its database. An attacker can manipulate that communication to execute unauthorized database commands.
  • Why it matters: Successful exploitation can lead to sensitive data being exposed, unauthorized changes to site content or records, privilege escalation (attackers gaining higher-level access), or in some cases full remote code execution — meaning an attacker could run their own commands on the server.
  • Who is affected: Organizations running Drupal versions 8.9.0 through 11.3.x on a PostgreSQL database backend. Drupal sites using MySQL or MariaDB databases are not vulnerable to the SQL injection component of this flaw.
  • No credentials required: The vulnerability can be exploited by anyone — no account, login, or prior access to the site is needed.
  • No user interaction required: Victims do not need to click a link or open a file. Attackers can probe and exploit the site directly over the internet.
  • Exploitation status: Confirmed and actively underway. Imperva has recorded over 15,000 attack attempts targeting nearly 6,000 individual sites across 65 countries since the vulnerability was disclosed on May 20, 2026.
  • Patches are available now: Drupal released fixed versions on May 20, 2026. Updates are available for all currently supported release branches.
  • All sites should still update: Even if your Drupal site does not use PostgreSQL, the patched releases include important security updates for two third-party components — Symfony and Twig — that Drupal depends on. Drupal recommends all sites update regardless of database type.
  • North American exposure: Internet monitoring group Shadowserver identified approximately 272 unpatched Drupal installations in North America still exposed to the internet as of the time of reporting.

Affected Products

The following Drupal core versions are affected:

  • Drupal 11.3.0 through 11.3.9
  • Drupal 11.2.0 through 11.2.11
  • Drupal 11.0.0 through 11.1.9
  • Drupal 10.6.0 through 10.6.8
  • Drupal 10.5.0 through 10.5.9
  • Drupal 8.9.0 through 10.4.9

Drupal 8 and 9 are end-of-life and no longer receive full security support. Manual patches for this specific issue have been provided on a best-effort basis only. These versions remain exposed to all previously disclosed, unpatched vulnerabilities.

Drupal is commonly deployed by government agencies, universities, large enterprises, financial institutions, healthcare organizations, and media companies. Smaller organizations using Drupal are equally affected where the above conditions apply.


Vendor Guidance

(Per Drupal Security Advisory SA-CORE-2026-004 and CISA)

  • Update Drupal immediately to the patched version for your current release branch:
    • Drupal 11.3.x → update to 11.3.10
    • Drupal 11.2.x → update to 11.2.12
    • Drupal 11.1.x or 11.0.x → update to 11.1.10
    • Drupal 10.6.x → update to 10.6.9
    • Drupal 10.5.x → update to 10.5.10
    • Drupal 10.4.x or earlier (back to 8.9.0) → update to 10.4.10
  • If you are running Drupal 8 or 9 (both end-of-life), manually apply the patches provided by Drupal for this issue as a temporary measure, and plan to upgrade to a supported version as a priority.
  • Even if your site uses MySQL or MariaDB, update to the patched release to receive the bundled Symfony and Twig security fixes included in these releases.
  • Review which user roles on your site have the ability to update Twig templates — for example through the Views module or contributed modules — as part of the broader update process.
  • Apply mitigations per vendor instructions, follow CISA BOD 22-01 guidance for cloud-hosted environments, or discontinue use of the product if mitigations are unavailable.

Additional Best Practices

  • If your Drupal site is managed by a third-party hosting provider or agency, contact them immediately to confirm whether patching has been applied or is scheduled.
  • If you are unsure whether your Drupal installation uses PostgreSQL, check with your web developer, hosting provider, or IT administrator.

Notes

  • This is a vulnerability in Drupal core software — not a phishing attack or social engineering campaign.
  • No user interaction is required. Attackers can exploit this vulnerability directly through web requests, without any action from the site owner or visitors.
  • Active exploitation is confirmed. Attacks began almost immediately after the vulnerability was disclosed on May 20, 2026.
  • The SQL injection component affects PostgreSQL-backed Drupal sites only; however, the same patch releases include additional security fixes that apply to all Drupal installations.
  • Drupal 8 and 9 are end-of-life and do not receive ongoing security coverage. Manual patches are provided for this specific issue only.
  • CISA has historically flagged five Drupal vulnerabilities as exploited in the wild; two were subsequently used in ransomware attacks.

Additional Resources

Drupal Security Advisory

Imperva Threat Research

medium

Avada Builder WordPress Plugin — Update to 3.15.3 (CVE-2026-4782, CVE-2026-4798)

Updated: May 22nd, 2026

Category: WordPress

Source: Wordfence

Overview

Two vulnerabilities have been disclosed in Avada Builder (plugin slug: fusion-builder), a page builder used with the popular Avada WordPress theme on roughly 1,000,000 sites:

  • CVE-2026-4782 — Authenticated arbitrary file read (CVSS 6.5). Any user with Subscriber-level access can read files on the server, including wp-config.php (database credentials and WordPress secret keys), which typically leads to full site takeover. Affects versions ≤ 3.15.2.
  • CVE-2026-4798 — Unauthenticated SQL injection (CVSS 7.5). Lets attackers extract data including password hashes. Only exploitable if WooCommerce was previously installed and then deactivated without removing its database tables. Affects versions ≤ 3.15.1.

Both are fixed in Avada Builder 3.15.3. No confirmed in-the-wild exploitation at the time of writing, but technical details are public.

 


  • Update Avada Builder to version 3.15.3 or later on every WordPress site that uses it. Version 3.15.2 only partially fixes the file-read flaw — 3.15.3 is required.
  • If your site is managed by an external web agency, forward this alert and ask for written confirmation that 3.15.3 is installed.
  • Take a backup before updating, and verify the site afterward.

The risk is concentrated in two common SMB scenarios: sites that allow user registration (comments, memberships, downloads) and sites that previously used and removed WooCommerce. If either applies, prioritize the update.

 


Notes

  • This is a product vulnerability. The fix is straightforward: update the plugin.
  • If you have any reason to believe the site may already have been accessed, after patching also rotate the WordPress database password, regenerate the secret keys/salts in wp-config.php, and force password resets for admin and editor accounts.

 


Additional Resources

Wordfence

medium

Windows BitLocker "YellowKey" Zero-Day — Mitigation Available, No Patch Yet (CVE-2026-45585)

Updated: May 22nd, 2026

Category: Microsoft

Source: Microsoft

Overview

A publicly disclosed Windows zero-day nicknamed "YellowKey" (CVE-2026-45585) lets an attacker with physical access to a Windows device bypass BitLocker drive encryption and read or modify the contents of the protected drive. The flaw was disclosed without coordination with Microsoft by a researcher known as "Nightmare Eclipse," who also released a working proof-of-concept exploit.

Exploitation requires the attacker to place specially crafted files on a USB drive or EFI partition, reboot into the Windows Recovery Environment (WinRE), and trigger a shell with access to the BitLocker-protected volume.

Microsoft has not yet released a patch, but on May 19 issued an advisory with mitigation guidance, and on May 21 published an official PowerShell script that implements the recommended mitigation automatically. Microsoft also confirms that devices configured with BitLocker TPM+PIN are not exploitable via this vulnerability.

 


What You Need to Know

  • What it is: A BitLocker security feature bypass. The attack abuses an executable (autofstx.exe) that runs very early during WinRE boot and can be leveraged to gain access to the encrypted volume.
  • Why it matters: BitLocker is the primary protection many SMBs rely on for lost or stolen laptops, decommissioned drives, and devices left unattended during travel. A successful exploit means an attacker who steals or briefly handles a device can recover encrypted business data — including customer information, financial records, and credentials cached on disk.
  • Who is affected (per MSRC):
    • Windows 11 version 24H225H226H1 (x64)
    • Windows Server 2025 (including Server Core)
    • In practice, the underlying WinRE / BitLocker design issue affects a broader range of Windows installations using TPM-only BitLocker; Microsoft's listed products are those receiving the CVE coverage.
  • Attack vector: Physical access required (CVSS Attack Vector: Physical). This is not a remote or network-borne exploit.
  • Privileges required: None. User interaction: None.
  • Exploitation status: Publicly disclosed with PoC. Microsoft's exploitability assessment is "Exploitation More Likely." Microsoft states the vulnerability is not currently being exploited in the wild, but the same researcher's other recent disclosures (BlueHammer / CVE-2026-33825, RedSun) are now being exploited.
  • Patch status: No security update yet. Microsoft has issued the CVE specifically to deliver mitigation guidance until a patch is released.
  • Key protection: Devices configured with BitLocker TPM+PIN (a pre-boot PIN) are not exploitable, per Microsoft.
  • CVSS: 6.8 base / 6.3 temporal (Microsoft) — Important severity.

 


Vendor Guidance (Microsoft)

Microsoft offers two complementary mitigations. The first hardens WinRE; the second is the strongest protection and stops the attack outright.

1. Run Microsoft's official mitigation script (recommended on existing devices)

Microsoft has published a PowerShell script in the CVE-2026-45585 advisory that:

  • Removes the autofstx.exe entry from the WinRE BootExecute registry value
  • Mounts and edits the offline WinRE registry hive safely
  • Re-seals WinRE so the BitLocker trust chain remains intact
  • Exits cleanly with no changes if the entry isn't present

Use the script directly from the MSRC advisory (linked below). Microsoft updated it on May 21, 2026 (revision 1.4) to make it language-agnostic, and recommends re-copying the latest version before running. Implementing the mitigation does not require reverting when a patch ships — Microsoft confirms the patch will preserve the mitigation behaviour.

2. Configure BitLocker to require TPM+PIN (strongest protection)

This fully prevents YellowKey exploitation and also defends against most other physical-access BitLocker attacks.

  • For devices already encrypted with TPM-only: Reconfigure BitLocker to TPM+PIN mode using PowerShell (Add-BitLockerKeyProtector), manage-bde, or the BitLocker control panel.
  • For devices not yet encrypted: Enable the Group Policy or Intune setting "Require additional authentication at startup," with "Configure TPM startup PIN" set to "Require startup PIN with TPM." Then enable BitLocker.

TPM+PIN means users will need to enter a short pre-boot PIN at startup before Windows loads. Plan a brief end-user communication so people aren't surprised on next reboot.

Additional Best Practices

  • Prioritize laptops and any devices that leave the office (employee homes, travel, customer sites, vehicles). These are where the physical-access threat is realistic.
  • Confirm BitLocker is actually enabled on every Windows endpoint that stores business data. In SMB environments it's common to find devices that were never enrolled.
  • Confirm BitLocker recovery keys are escrowed to Entra ID / Active Directory / Intune before changing BitLocker configuration, so a misstep doesn't lock anyone out.
  • Maintain physical security basics: locked offices, cable locks where appropriate, clear policies for handling lost/stolen devices, and prompt remote wipe / disable for missing equipment.
  • Watch for the patch. Microsoft has signaled a security update is coming; apply it through your normal patch process when released.

 


Notes

  • This is a physical-access vulnerability — not a phishing or remote-exploitation issue. Risk is concentrated in mobile devices and any device that can leave a controlled environment.
  • Public PoC exists, and Microsoft rates exploitation as "More Likely." Active in-the-wild exploitation has not been confirmed at the time of writing.
  • TPM+PIN fully mitigates the issue per Microsoft. Consider this the durable fix even after the eventual patch.
  • No patch is available yet. The mitigations above are interim — apply the patch when Microsoft ships it.

 


Additional Resources

Microsoft MSRC — CVE-2026-45585

Microsoft MSRC — CVE-2026-33825

Microsoft Learn — BitLocker countermeasures and pre-boot authentication (TPM+PIN) guidance

high

SonicWall SSL-VPN MFA Bypass Actively Exploited — Patching Alone Is Not Enough on Gen6 (CVE-2024-12802)

Updated: May 22nd, 2026

Category: SonicWall

Source: SonicWall

Overview

A vulnerability in SonicWall SSL-VPN (CVE-2024-12802) can allow attackers with valid usernames and passwords to bypass multi-factor authentication (MFA) when the firewall is integrated with Microsoft Active Directory and configured to accept the UPN ("user@domain") login format. Researchers at ReliaQuest have observed this flaw being actively exploited in the wild between February and March 2026, with the attacker behaving like an initial access broker — logging in, doing quick reconnaissance, and later returning (or selling access) for ransomware-style follow-on activity.

The most important nuance for SMB readers: on Gen6 firewalls running firmware 6.5.5.1-6ninstalling the firmware update alone does not fully fix the issue. A manual reconfiguration of the LDAP/Active Directory settings is also required. Customers running 6.5.5.2-28n or higher do not need the manual steps. Gen7 and Gen8 firewalls running the latest fixed firmware (7.2.0-7015 / 8.0.1-8017) include the remediation built in.

In several incidents, attacker logins still showed up in logs as a normal, successful MFA flow, which can mislead defenders into thinking MFA worked when it actually did not.

 


What You Need to Know

  • What it is: An MFA bypass in SonicWall SSL-VPN. Microsoft Active Directory accounts have two name formats — the UPN ([email protected]) and the SAM account name (DOMAIN\user). SonicWall handled these as if they were separate logins, so MFA configured against one format could be skipped by logging in with the other.
  • Why it matters: SSL-VPN is the front door to many SMB networks. Bypassing MFA gives an attacker the same access as a legitimate remote worker. ReliaQuest observed the attacker reaching internal file servers within roughly 30 minutes, attempting to deploy Cobalt Strike (an attacker command-and-control tool) and a vulnerable driver to disable endpoint security (a technique known as Bring Your Own Vulnerable Driver / BYOVD). EDR blocked the follow-on activity in the cases investigated, but the initial access succeeded.
  • Who is affected: Organizations using SonicWall SSL-VPN with Active Directory / LDAP authentication using the UPN login format. Affected products per SonicWall's advisory include Gen6 firewalls and Gen6 NSv, Gen7 firewalls and NSv, Gen8 firewalls (TZ80, NSa 2800), and SMA100 appliances on older firmware.
  • Exploitation status: Confirmed active exploitation in the wild (ReliaQuest, multiple sectors and geographies). Attackers have used this bypass as initial access for ransomware-aligned activity.
  • User interaction required: No. Exploitation requires valid credentials (which attackers obtained via brute force or reuse), but no action from the legitimate user.
  • Patch status: Patches are available, but on Gen6 6.5.5.1-6n additional manual remediation steps are requiredGen6 6.5.5.2-28n and higherGen7 7.2.0-7015 and higher, and Gen8 8.0.1-8017 and higher include the remediation in the firmware itself.
  • Important clarifications:
    • Logs of attacker logins may look like a normal MFA flow — do not rely on log appearance alone to confirm MFA is working.
    • Gen6 SSL-VPN appliances reached end-of-life on April 16, 2026 and no longer receive security updates. Organizations still running Gen6 SSL-VPN should plan a migration to a supported platform.

 


Affected (per SonicWall advisory SNWLID-2025-0001)

  • Gen6 NSv (NSv10–NSv1600): 6.5.4.4-44v-21-2457 and older → fixed in 6.5.4.4-44v-21-2472 or higher
  • Gen6 firewalls (SOHO/SOHOW, TZ 300/350/400/500/600 series and W/P variants, SOHO 250/250W, NSA 2650–6650, SM 9200–9650): 6.5.4.15-117n and older → fixed in 6.5.5.1-6n or higher (with manual steps), or 6.5.5.2-28n or higher (no manual steps required)
  • Gen7 firewalls (TZ270–TZ670 and W/P variants, NSa 2700–6700, NSsp 10700–15700) and Gen7 NSv (NSV270/470/870 on ESX, KVM, Hyper-V, AWS, Azure): older firmware up to 7.0.1-5161 / 7.1.1-7058 / 7.1.2-7019 → fixed in 7.0.1-5169 or higher, or 7.2.0-7015 or higher
  • Gen8 firewalls (TZ80, NSa 2800): 8.0.0-8035 → fixed in 8.0.1-8017 or higher
  • SMA100: 10.2.1.13-72sv and older → fixed in 10.2.1.14-75sv or higher

Refer to SNWLID-2025-0001 for the authoritative, complete list.

 


Vendor Guidance (SonicWall)

  • Update affected appliances to the fixed firmware listed in SNWLID-2025-0001.
  • Gen6 firewalls running 6.5.5.1-6n must also perform the following manual remediation steps (taken directly from the SonicWall advisory):
    1. Delete the existing LDAP server configuration where userPrincipalName is used in the Qualified login name field (Device > Users > Settings > Authentication > Configure LDAP).
    2. Delete locally listed LDAP users (Device > Local Users & Groups > Local Users).
    3. Remove the User Domain from SSL VPN Server Settings — it will revert to the default LocalDomain (Network > SSL VPN > Server Settings > SSL VPN Server Settings > User Domain).
    4. Reboot the firewall.
    5. Recreate the LDAP server configuration without userPrincipalName in the Qualified login name field.
    6. Create a fresh backup so the vulnerable configuration cannot be restored later.
  • Gen6 customers on 6.5.5.2-28n or higher do not need to perform the manual steps.
  • Gen7 and Gen8 firewalls running 7.2.0-7015 / 8.0.1-8017 or higher include the remediation in firmware; userPrincipalName is supported again on those versions.
  • SonicWall has published an automation script to help apply the SNWLID-2025-0001 mitigation via the SonicOS API or SSH (linked from the advisory; available at the SonicWall sonicos-automation GitHub repository).
  • For organizations still running Gen6 SSL-VPN appliances, note that they reached end-of-life on April 16, 2026 and should be migrated to a currently supported platform.

 


Indicators of Compromise (IoCs)

SonicWall's advisory does not publish IoCs for this vulnerability. ReliaQuest has published detection signals based on their investigation of in-the-wild intrusions — including specific log indicators in SonicWall SSL-VPN authentication logs and notes that rogue logins can appear as a normal successful MFA flow. Organizations that want to hunt for signs of exploitation in their own environment should refer to the ReliaQuest write-up linked in Additional Resources.

If you find suspicious VPN logins, treat the affected account as potentially compromised — reset its password, revoke active sessions, review what the account accessed, and check for follow-on activity from the VPN-assigned IP. Engage your incident response provider if you find evidence of post-VPN movement.

 


Notes

  • This is a product vulnerability, not a phishing campaign — but it removes a key protection (MFA) that SMBs often rely on as their main defence against credential theft and phishing.
  • Active exploitation is confirmed, and the observed activity pattern aligns with initial access brokers feeding ransomware operations.
  • Patching alone is not sufficient on Gen6 6.5.5.1-6n — the manual LDAP reconfiguration steps must be completed, or upgrade to Gen6 6.5.5.2-28n or higher to avoid them.
  • Logs can be misleading — attacker logins via this bypass may appear as normal successful MFA flows.
  • Gen6 SSL-VPN reached end-of-life April 16, 2026 — plan migration to supported hardware/firmware.

 


Additional Resources

SonicWall PSIRT Advisory

ReliaQuest Blog

high

Two Actively Exploited Microsoft Defender Zero-Days Patched

Updated: May 22nd, 2026

Category: Microsoft

Source: Microsoft

Overview

Microsoft has released security updates for two actively exploited zero-day vulnerabilities in Microsoft Defender — the antivirus and antimalware software built into Windows. Both flaws are being abused in attacks in the wild, and CISA has added them to its Known Exploited Vulnerabilities (KEV) Catalog with a U.S. federal patch deadline of June 3, 2026.

  • CVE-2026-41091 — A flaw in the Microsoft Malware Protection Engine (the part of Defender that scans, detects, and cleans malware) that allows an attacker who already has some access to a Windows device to elevate their privileges to SYSTEM (the highest level of access on Windows).
  • CVE-2026-45498 — A flaw in the Microsoft Defender Antimalware Platform that an attacker can exploit to cause a denial of service — making Defender or the affected system unresponsive.

The good news for most readers: Microsoft Defender updates itself automatically by default, so most Windows systems will receive the fix without any administrator action. The recommended action is to verify that automatic updates are working and that the fixed versions are installed.

 


What You Need to Know

  • What it is: Two vulnerabilities in Microsoft Defender. One allows local privilege escalation (an attacker already on the device gains SYSTEM rights). The other allows denial of service (Defender or the system can be made unresponsive).
  • Why it matters: Microsoft Defender is the default antivirus on most modern Windows systems, including in SMB environments. A privilege escalation to SYSTEM is a powerful step for an attacker who has already gained an initial foothold (for example through phishing or a malicious download), letting them disable security tools, install persistent malware, or move laterally. A DoS in the antimalware platform can leave systems without working endpoint protection.
  • Who is affected: Windows systems running:
    • Microsoft Malware Protection Engine version 1.1.26030.3008 and earlier (CVE-2026-41091)
    • Microsoft Defender Antimalware Platform version 4.18.26030.3011 and earlier (CVE-2026-45498)
    • Also relevant to older Microsoft AV products that share these components: System Center Endpoint ProtectionSystem Center 2012 / 2012 R2 Endpoint Protection, and Microsoft Security Essentials.
  • Exploitation status: Confirmed active exploitation in the wild. Both CVEs are listed in CISA's KEV Catalog.
  • User interaction required: No for either flaw. The privilege escalation flaw does require the attacker to already have some access to the device.
  • Patch status: Patched. Microsoft has released:
    • Malware Protection Engine version 1.1.26040.8 (fixes CVE-2026-41091)
    • Antimalware Platform version 4.18.26040.7 (fixes CVE-2026-45498)
    • Microsoft states that, by default, customers don't need to take any action — Defender keeps malware definitions and the Antimalware Platform up to date automatically.
  • Important clarifications:
    • These flaws are in Microsoft Defender's components, not in Windows itself. They're delivered through Defender's automatic update mechanism rather than the monthly Patch Tuesday cumulative update.
    • The privilege escalation flaw (CVE-2026-41091) is the more impactful of the two; the denial-of-service flaw (CVE-2026-45498) is lower-impact but still meaningful because it can disrupt endpoint protection.

 


Recommended Actions

Vendor Guidance (Microsoft / CISA)

  • No manual patching is required by default. Microsoft states that the default configuration of its antimalware software keeps malware definitions and the Antimalware Platform up to date automatically.
  • Verify that Microsoft Defender updates and malware definitions are configured to install automatically, and that the fixed versions are present, using the steps Microsoft provides:
    1. Open the Windows Security app (e.g., type "Security" in the Search bar and select Windows Security).
    2. In the navigation pane, select Virus & threat protection.
    3. Under Virus & threat protection, click Protection updates.
    4. Select Check for updates.
    5. In the navigation pane, select Settings, then About.
    6. Check the Antimalware Client Version and platform/signature versions. The update is installed if the Malware Protection Platform or signature package version meets or exceeds the fixed version (1.1.26040.8 / 4.18.26040.7).

 


Additional Resources

Microsoft Security Response Center — CVE-2026-41091

Microsoft Security Response Center — CVE-2026-45498

critical

Multiple Critical Vulnerabilities Patched in Ubiquiti UniFi OS

Updated: May 22nd, 2026

Category: Ubiquiti

Source: Ubiquiti

Overview

Ubiquiti has released security updates for five vulnerabilities in UniFi OS, the operating system that runs on UniFi Consoles such as Dream Machines, Cloud Keys, Cloud Gateways, Network Video Recorders (UNVR), and UniFi NAS devices. Three of the flaws are rated maximum severity (CVSS 10.0) and can be exploited by an attacker who simply has network access to the device, with no login required.

UniFi OS underpins the broader UniFi ecosystem — UniFi Network, UniFi Protect (cameras), UniFi Access (door access), UniFi Talk, and UniFi Connect — so a compromised UniFi Console can affect many parts of an organization's network and physical security.

There is no confirmed in-the-wild exploitation at the time of disclosure; all five flaws were reported through Ubiquiti's HackerOne bug bounty program. However, internet-exposed UniFi OS devices are commonly targeted (the Censys dashboard linked below tracks roughly 100,000 UniFi OS endpoints reachable from the internet), and Ubiquiti devices have a documented history of being recruited into botnets. The recommended action is to update affected devices promptly.


What You Need to Know

  • What it is: A set of five vulnerabilities in UniFi OS — including improper access control, path traversal (a flaw that lets an attacker read files outside of where they should be allowed), and command injection (a flaw that lets an attacker run operating system commands on the device).
  • Why it matters: Successful exploitation can allow attackers to make unauthorized changesread files from the underlying system (potentially exposing credentials), and run commands on the device. A compromised UniFi Console can give an attacker a foothold in the network and influence over connected UniFi services such as cameras (Protect), door access (Access), VoIP (Talk), and the wired/wireless network.
  • Who is affected: Organizations and individuals running UniFi Consoles and UniFi OS devices on the affected versions listed below. This includes a wide range of common SMB and prosumer hardware: Dream Machine family, Cloud Keys, Cloud Gateways, UNVR/ENVR network video recorders, UNAS storage, and the UniFi OS Server.
  • Exploitation status: No confirmed in-the-wild exploitation at time of disclosure. Flaws were responsibly reported via HackerOne. Ubiquiti notes the issues are low-complexity to exploit.
  • User interaction required: No. Exploitation requires network access to the device, but no user action.
  • Patch status: Patches are available. Ubiquiti's advisory does not list workarounds — updating is the path forward.
  • Important clarifications:
    • Devices whose management interface is exposed to the internet are at significantly higher risk.
    • This advisory covers UniFi OS devices specifically. Older AirOS / EdgeOS gear is not the subject of this bulletin.

Vulnerabilities covered

  • CVE-2026-34908 — Improper Access Control — CVSS 10.0 Critical — unauthorized changes to the system over the network.
  • CVE-2026-34909 — Path Traversal — CVSS 10.0 Critical — access to files on the underlying system, potentially including account material.
  • CVE-2026-34910 — Improper Input Validation / Command Injection — CVSS 10.0 Critical — command execution on the device after network access.
  • CVE-2026-33000 — Command Injection — CVSS 9.1 Critical — command execution by an actor with high network privileges.
  • CVE-2026-34911 — Path Traversal — CVSS 7.7 High — access to system files for sensitive information by a low-privileged actor.

Affected Products

Per Ubiquiti Security Advisory Bulletin 064, affected UniFi OS devices and fixed versions include:

Product(s) Affected versions Fixed version
UniFi OS Server 5.0.6 and earlier 5.0.8 or later
UCG-Industrial 5.0.13 and earlier 5.1.12 or later
UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, EFG, UDW, UDR, UDR7, Express 7, UNVR, UNVR-Pro, UNVR-Instant, ENVR, UCG-Ultra, UCG-Max, UCG-Fiber 5.0.16 and earlier 5.1.12 or later
UDR-5G, ENVR-Core, UCKP, UCK, UCK-Enterprise 5.0.17 and earlier 5.1.12 or later
UNVR-G2, UNVR-G2-Pro 5.1.11 and earlier 5.1.12 or later
UDM-Beast 5.1.8 and earlier 5.1.11 or later
UNAS-2, UNAS-4, UNAS-Pro, UNAS-Pro-4, UNAS-Pro-8 5.1.8 and earlier 5.1.10 or later

 

Refer to Ubiquiti Security Advisory Bulletin 064 for the authoritative list.

 


Vendor Guidance (Ubiquiti)

  • Update affected UniFi OS devices to the fixed versions listed in Security Advisory Bulletin 064 (see table above). Updating is the only remediation provided by Ubiquiti — the advisory does not list workarounds.

Notes

  • This is a product vulnerability disclosure, not a phishing campaign or operational issue.
  • No user interaction is required to exploit these flaws.
  • No in-the-wild exploitation has been confirmed at time of disclosure; the issues were reported through Ubiquiti's HackerOne program.
  • Patches are available for all five vulnerabilities.
  • Ubiquiti devices have been targeted in past campaigns (including botnet recruitment), so prompt patching is recommended even without confirmed exploitation.

Additional Resources

Ubiquiti Security Advisory Bulletin 064

Censys — Internet-exposed UniFi OS endpoints

high

Microsoft May 2026 Patch Tuesday — 120 Vulnerabilities Fixed, No Zero-Days

Updated: May 15th, 2026

Category: Microsoft

Source: Microsoft

Overview

Microsoft's May 2026 Patch Tuesday delivers security fixes for 120 vulnerabilities across Windows, Microsoft Office, SharePoint, and other Microsoft products. 17 of these are rated Critical, with 14 of the Critical issues being remote code execution (RCE) flaws — meaning an attacker could run code on a vulnerable system if the right conditions are met.

No zero-day vulnerabilities were disclosed this month, and Microsoft has not flagged any of these flaws as actively exploited at the time of release. However, several of the issues are likely to matter to most business environments — particularly multiple Microsoft Office, Word, and Excel flaws that can be triggered when a user opens a malicious file (and in some cases when a malicious file is shown in the email preview pane).

The recommended action is straightforward: install the May 2026 cumulative updates through Windows Update, Microsoft Update, WSUS, or your usual patch management tooling.


What You Need to Know

  • What it is: Microsoft's regular monthly batch of security updates for Windows, Microsoft Office, SharePoint, and related products.
  • Why it matters: Several of the fixes address flaws that can lead to remote code execution — the ability for an attacker to run their own code on your system. The Office-related flaws are especially relevant because many can be triggered simply by opening or previewing a malicious file, which is a common phishing technique.
  • Who is affected: Organizations and individuals running Windows 10, Windows 11, Microsoft Office (including Word and Excel), and on-premises Microsoft SharePoint Server. Typical Canadian SMBs are in scope.
  • Exploitation status: No zero-days disclosed this month. Microsoft has not confirmed in-the-wild exploitation of any of the highlighted CVEs at time of release.
  • User interaction required: Varies by flaw. Some require a user to open a malicious file (or have it rendered in a preview pane). Others, such as the DNS Client flaw, can be triggered by network responses without direct user action.
  • Patch status: Patches are available through standard Microsoft update channels.
  • Important clarifications:
    • This count of 120 covers fixes released today by Microsoft. It does not include earlier-month fixes for Mariner, Azure, Copilot, Microsoft Teams, and Microsoft Partner Center, or the Microsoft Edge / Chromium updates handled through Google.
    • The SharePoint Server RCE (CVE-2026-40365) requires an authenticated attacker, which reduces but does not eliminate risk — internal users and compromised accounts can still trigger it.

Notable individual vulnerabilities highlighted by Microsoft / public reporting

  • CVE-2026-35421 — Windows GDI Remote Code Execution. Triggered by opening a malicious Enhanced Metafile (EMF) image (a Windows graphics file format) using Microsoft Paint. GDI is the Windows component that handles drawing graphics and images on screen.
  • CVE-2026-40365 — Microsoft SharePoint Server Remote Code Execution. An authenticated attacker (someone who already has valid SharePoint credentials) can run code remotely on the SharePoint server.
  • CVE-2026-41096 — Windows DNS Client Remote Code Execution. A malicious DNS server can send a specially crafted reply that causes the Windows DNS Client (the part of Windows that translates names like example.com into IP addresses) to mishandle the response, potentially leading to remote code execution on the affected Windows system.
  • Multiple Microsoft Office, Word, and Excel RCE flaws. Exploited by opening a malicious file. Per public reporting, several can be triggered through the preview pane, meaning a user may not need to fully open the file for the attack to occur. Organizations whose staff routinely receive emailed attachments should treat these as a priority.

Affected Products

  • Windows 11 — see KB5089549 (OS builds 26200.8457 and 26100.8457) and KB5087420 (OS build 22631.7079)
  • Windows 10 — see KB5087544 (OS builds 19045.7291 and 19044.7291) — Extended Security Update (ESU) channel
  • Microsoft Office, Word, Excel (multiple supported versions) — see Microsoft Security Update Guide for the authoritative list
  • Microsoft SharePoint Server (on-premises) — see Microsoft Security Update Guide for affected versions
  • Other Microsoft products covered in the May 2026 release notes

For the authoritative, complete list of affected products and CVEs, refer to the Microsoft Security Update Guide — May 2026 release notes.


Vendor Guidance (Microsoft)

  • Install the May 2026 security updates on all supported Windows endpoints and servers using Windows Update, Microsoft Update, WSUS, Intune, or your standard patch management process.
    • Windows 11: KB5089549 or KB5087420 as applicable to your build.
    • Windows 10 (ESU): KB5087544.
  • Update Microsoft Office (including Word and Excel) to the latest available build to address the Office-related remote code execution flaws.
  • For organizations running on-premises SharePoint Server, apply the May 2026 SharePoint security update referenced in the Microsoft Security Update Guide.
  • Review the Microsoft Security Update Guide for May 2026 for the complete list of CVEs and to identify any additional Microsoft products in your environment that need updating.

Notes

  • This is a rollup of product vulnerabilities, not a phishing campaign or operational issue — though several flaws can be delivered via phishing emails with malicious attachments.
  • No zero-days were disclosed by Microsoft this month, and no in-the-wild exploitation has been confirmed for the highlighted CVEs at time of release.
  • User interaction is required for many of the highlighted flaws (opening or previewing a malicious file). Others, like the DNS Client flaw, do not require user interaction in the traditional sense.
  • Patches are available — installing the May 2026 cumulative updates is the primary action.
  • Patch Tuesday fixes are routinely targeted by attackers shortly after release; prompt patching is recommended even when no zero-days are disclosed.

Microsoft Release Notes

critical

Critical Unauthenticated Vulnerabilities in Fortinet FortiAuthenticator and FortiSandbox

Updated: May 15th, 2026

Category: Fortinet

Source: Fortinet

Overview

Fortinet has released security updates for two critical, unauthenticated vulnerabilities affecting FortiAuthenticator and FortiSandbox. Both flaws can allow an attacker who has not logged in to send specially crafted requests that result in arbitrary code or command execution on the device.

  • CVE-2026-44277 — Improper Access Control in FortiAuthenticator (Fortinet's identity and access management appliance, used to manage logins, MFA, and SSO for other systems).
  • CVE-2026-26083 — Missing Authorization in the FortiSandbox web UI, including FortiSandbox Cloud and FortiSandbox PaaS (Fortinet's malware analysis appliance/service).

Both flaws were internally discovered by Fortinet and there is no public confirmation of exploitation in the wild at the time of the advisories. However, Fortinet products are frequently targeted shortly after disclosure — CISA has added many Fortinet vulnerabilities to its Known Exploited Vulnerabilities Catalog over recent years — so timely patching is strongly recommended.


What You Need to Know

  • What they are:
    • CVE-2026-44277 (FortiAuthenticator): An access control flaw on API endpoints that allows an unauthenticated attacker to run unauthorized code or commands using crafted requests.
    • CVE-2026-26083 (FortiSandbox): A missing authorization flaw in the web UI that allows an unauthenticated attacker to run unauthorized code or commands via HTTP requests.
  • Why it matters:
    • FortiAuthenticator is an identity system — if compromised, an attacker can potentially affect logins, MFA, and SSO for many downstream systems.
    • FortiSandbox is a security analysis tool — compromise of a security appliance can undermine the protections it is meant to provide and give attackers a foothold in a trusted part of the network.
  • Who is affected: Organizations running on-premises FortiAuthenticator, on-premises FortiSandbox, or the FortiSandbox Cloud / FortiSandbox PaaS services on the affected versions listed below. FortiAuthenticator Cloud (formerly FortiTrust Identity) is not affected.
  • Exploitation status: No confirmed in-the-wild exploitation at time of disclosure. Both issues were internally discovered by Fortinet.
  • User interaction required: No. Exploitation does not require a user to click anything or log in.
  • Patch status: Patches are available for both vulnerabilities (see Affected section).
  • Important clarifications:
    • Both flaws are flagged as critical and unauthenticated by Fortinet.
    • These products are typically deployed by mid-sized and larger organizations, MSSPs, and service providers, rather than by most pure SMBs directly. SMBs whose security or identity is managed by a service provider may want to confirm with that provider that affected systems have been updated.

Affected Products

FortiAuthenticator (CVE-2026-44277) — per Fortinet PSIRT FG-IR-26-128

  • FortiAuthenticator 8.0.0 and 8.0.2 → upgrade to 8.0.3 or above
  • FortiAuthenticator 6.6.0 through 6.6.8 → upgrade to 6.6.9 or above
  • FortiAuthenticator 6.5.0 through 6.5.6 → upgrade to 6.5.7 or above
  • Not affected: FortiAuthenticator Cloud

FortiSandbox / FortiSandbox Cloud / FortiSandbox PaaS (CVE-2026-26083) — per Fortinet PSIRT FG-IR-26-136

  • FortiSandbox 5.0 (5.0.0 – 5.0.1) → upgrade to 5.0.2 or above
  • FortiSandbox 4.4 (4.4.0 – 4.4.8) → upgrade to 4.4.9 or above
  • FortiSandbox Cloud 5.0 (5.0.2 – 5.0.5) → upgrade to 5.0.6 or above
  • FortiSandbox Cloud 23 and 24 (all versions) → migrate to a fixed release
  • FortiSandbox PaaS 5.0 (5.0.0 – 5.0.1) → upgrade to 5.0.2 or above
  • FortiSandbox PaaS 4.4 (4.4.5 – 4.4.8) → upgrade to 4.4.9 or above
  • FortiSandbox PaaS versions 21.3, 21.4, 22.1, 22.2, 23.1, 23.3, 23.4 (all versions) → migrate to a fixed release

Vendor Guidance (Fortinet)

  • FortiAuthenticator (CVE-2026-44277): Upgrade to a fixed version listed above.
  • FortiAuthenticator workaround (per Fortinet): If you cannot upgrade immediately, disable API access for exposed interfaces via Network → Interfaces → Access Rights.
  • FortiSandbox / FortiSandbox Cloud / FortiSandbox PaaS (CVE-2026-26083): Upgrade to a fixed version, or migrate to a fixed release for the cloud/PaaS versions listed above. Fortinet's advisory does not list a workaround for this issue — patching/migration is the path provided.

Notes

  • Both items are product vulnerabilities, not phishing or operational issues.
  • No user interaction is required to exploit either flaw.
  • No in-the-wild exploitation has been confirmed at time of disclosure; both were internally discovered by Fortinet.
  • Patches are available for all affected products.
  • Fortinet vulnerabilities have a strong history of being targeted shortly after disclosure — prompt patching is recommended.

Additional Resources

Fortinet PSIRT — FG-IR-26-128 (FortiAuthenticator, CVE-2026-44277)

Fortinet PSIRT — FG-IR-26-136 (FortiSandbox / Cloud / PaaS, CVE-2026-26083)

Bleeping Computer

none

Dell SupportAssist Update Causing Blue-Screen Crashes on Windows PCs

Updated: May 15th, 2026

Category: Dell

Source: Dell

Overview

Dell has confirmed that a recent update to its SupportAssist Remediation service is causing blue-screen crashes (BSODs) and random reboots on some Dell and Alienware PCs running Windows 10 and Windows 11. The faulty version is 5.5.16.0 of the Dell SupportAssist Remediation service (and the equivalent Alienware SupportAssist Remediation service). Affected systems show a stop error referencing 0xEF_DellSupportAss_BUGCHECK_CRITICAL_PROCESS.

This is an operational issue caused by a buggy Dell update — not a security vulnerability and not an attack. Dell engineering is working on a fix. In the meantime, Dell has provided a workaround: disable or uninstall the affected SupportAssist Remediation service.

SupportAssist is the Dell-branded support and maintenance software that comes pre-installed on most new Dell Windows PCs, so the potential install base is large.


What You Need to Know

  • What it is: A faulty version of a Dell-supplied background service is crashing Windows, producing a blue-screen error and causing random reboots.
  • Why it matters: Affected PCs may crash unexpectedly, interrupting work and potentially causing unsaved data loss. For organizations with Dell fleets, this can translate into widespread, repeated downtime until the service is removed or updated.
  • Who is affected: Dell and Alienware Windows 10 / Windows 11 PCs that have Dell SupportAssist Remediation or Alienware SupportAssist Remediation version 5.5.16.0 installed. Dell SupportAssist is pre-installed on most new Dell consumer and business PCs.
  • Exploitation status: Not applicable — this is not a security vulnerability. No attacker is involved.
  • User interaction required: No user action triggers the crash; it occurs as part of normal system operation once the affected service is installed.
  • Patch status: No permanent fix yet. Dell engineering is "aware of the BSOD issue and is working towards a resolution." A workaround is available (see below).
  • Important clarifications:
    • This is an operational / software quality issue, not a security flaw.
    • Uninstalling the SupportAssist Remediation service may remove existing Dell OS SupportAssist Recovery restore points — meaning system repair points created by that tool may no longer be available afterwards.
    • The issue is specific to the SupportAssist Remediation service at version 5.5.16.0. Other Dell software (BIOS, drivers, the main SupportAssist app) is not implicated by Dell in this specific incident.

Affected Products

  • Dell and Alienware PCs running Windows 10 or Windows 11
  • With Dell SupportAssist Remediation or Alienware SupportAssist Remediation service version 5.5.16.0 installed
  • Not affected: Non-Dell PCs; Dell PCs without the affected service version installed; macOS or Linux systems

Vendor Guidance (Dell)

  • Workaround: Disable or uninstall the affected service. Dell's representative on the official community forum specifically points to disabling the Dell SupportAssist Remediation service or fully uninstalling the SupportAssist app as the workaround that has worked for users.
  • To uninstall on an affected PC: open Windows Settings > Apps > Installed apps, locate Dell SupportAssist Remediation (or Alienware SupportAssist Remediation), and click Uninstall.
  • Be aware that uninstalling the service may make existing Dell OS SupportAssist Recovery restore points unavailable.
  • If blue-screen crashes continue after uninstalling the service, contact Dell Support for further assistance.
  • Watch for a fixed version of the SupportAssist Remediation service from Dell as the permanent resolution.

Notes

  • This is an operational issue (a faulty software update), not a vulnerability and not a phishing campaign.
  • No exploitation is involved — there is no attacker.
  • No permanent fix is available yet; a workaround is provided by Dell.
  • Removing the affected service may reduce available system recovery options created by Dell SupportAssist Recovery.

Additional Resources

Dell Community Forum

Dell Community Forum

critical

Cisco Catalyst SD-WAN Controller Zero-Day Actively Exploited (CVE-2026-20182)

Updated: May 15th, 2026

Category: Cisco

Source: Cisco

Overview

Cisco has disclosed a maximum-severity vulnerability (CVSS 10.0) in Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager that is being actively exploited in zero-day attacks. The flaw, CVE-2026-20182, is an authentication bypass — a flaw that lets an attacker log in without valid credentials. Successful exploitation gives the attacker a high-privileged internal account on the SD-WAN controller, which can then be used to manipulate the organization's SD-WAN configuration and insert rogue devices into the network.

SD-WAN (software-defined wide area network) is the technology many organizations use to connect branch offices, data centers, and cloud environments through a centrally managed, encrypted network. Compromise of the SD-WAN Controller — the "brain" that decides how traffic flows between sites — can give an attacker deep visibility into and control over an organization's network traffic.

Cisco has released fixed software versions. There are no workarounds that fully mitigate the issue — patching is required. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog with a federal patch deadline of May 17, 2026.


What You Need to Know

  • What it is: An authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and SD-WAN Manager. The product's peering authentication mechanism (the check used to verify devices joining the SD-WAN fabric) "is not working properly," allowing crafted requests to log in as a high-privileged internal account.
  • Why it matters: Once authenticated, the attacker can access NETCONF (a network management protocol used to read and change device configuration) and modify SD-WAN configuration. They can also register rogue peers — malicious devices that look legitimate to the SD-WAN fabric — and use them to redirect traffic or pivot deeper into the network.
  • Who is affected: Organizations running Cisco Catalyst SD-WAN Controller or Cisco Catalyst SD-WAN Manager, in either on-premises or SD-WAN Cloud deployments. This is a product used primarily by mid-sized and large organizations, managed service providers (MSPs), and service providers — not typical SMB office networks. SMBs that rely on an MSP or upstream provider for connectivity may be indirectly affected.
  • Exploitation status: Confirmed active exploitation as a zero-day. Cisco detected exploitation in May 2026. Related research from Rapid7 ties earlier exploitation of a similar Cisco SD-WAN flaw (CVE-2026-20127, fixed in February) to a tracked threat actor (UAT-8616) going back to 2023.
  • User interaction required: No. Exploitation does not require any action by an end user or administrator — the attacker sends crafted requests directly to the affected system.
  • Patch status: Patched. Fixed software releases are available from Cisco. No workarounds fully mitigate the issue according to Cisco.
  • CISA action: Added to the Known Exploited Vulnerabilities Catalog with a U.S. federal remediation deadline of May 17, 2026.
  • Important clarifications:
    • This affects the SD-WAN management/control plane, not Cisco's general router, switch, or Meraki product lines.
    • Cisco has published specific indicators of compromise (IoCs) that administrators should check (see below).

Affected Products

  • Cisco Catalyst SD-WAN Controller (on-premises and SD-WAN Cloud deployments)
  • Cisco Catalyst SD-WAN Manager (on-premises and SD-WAN Cloud deployments)
  • Refer to the Cisco Security Advisory (cisco-sa-sdwan-rpa2-v69WY2SW) for the authoritative list of affected versions and fixed releases.

Vendor Guidance (Cisco / CISA)

  • Upgrade to a fixed software release as listed in the Cisco Security Advisory. Cisco states this is the only way to fully remediate CVE-2026-20182.
  • Restrict access to SD-WAN management and control-plane interfaces to trusted internal networks or authorized IP addresses only.
  • Review authentication logs for suspicious login activity (see IoCs section).
  • U.S. federal agencies (and any organization following CISA KEV timelines): patch affected devices by May 17, 2026 as ordered by CISA.

Indicators of Compromise (IoCs)

Cisco has published specific things to look for in logs from any internet-exposed Catalyst SD-WAN Controller. In plain English, these are signs that an attacker may have already used this flaw to log in or to plant a rogue device in your SD-WAN network.

1. Suspicious successful logins to the SD-WAN Controller

Check the controller's authentication log (/var/log/auth.log) for successful key-based logins to the internal vmanage-admin account, especially from IP addresses you don't recognize.

Why it matters: vmanage-admin is an internal high-privileged account. A successful login from an unknown source IP suggests the authentication bypass may have been used.

What to do: Compare the source IP addresses in those log entries against the configured System IPs in the Cisco Catalyst SD-WAN Manager web UI under WebUI > Devices > System IP. If an unknown IP address successfully authenticated, treat the device as compromised and open a Cisco TAC (Technical Assistance Center) case. Refer to the Cisco Security Advisory for the exact log entry format.

2. Unauthorized peering events (rogue devices joining the SD-WAN fabric)

Review SD-WAN Controller logs for new peer or control-connection events you cannot account for.

Why it matters: A "peering event" is when a device joins the SD-WAN fabric. An attacker abusing this flaw may try to register a rogue peer — a malicious device that looks legitimate to your network and can then carry traffic, advertise attacker-controlled networks, or be used as a foothold for lateral movement.

What to do: Investigate any peering event whose system IP, public IP, site ID, or device identity is not on your list of known, authorized SD-WAN devices. If you find one, treat it as a potential compromise and open a Cisco TAC case. The Cisco Security Advisory includes example log entries to help identify what to look for.


Notes

  • This is a product vulnerability, not a phishing or operational issue.
  • No user interaction is required for exploitation.
  • Active exploitation is confirmed, with related activity attributed to a tracked threat actor going back to 2023.
  • No workarounds fully mitigate the flaw — patching is required.
  • This issue primarily affects organizations operating Cisco Catalyst SD-WAN infrastructure. Most SMBs will not run these controllers themselves but may want to confirm with their MSP or service provider that affected systems have been patched.

Additional Resources

Cisco Security Advisory 

Rapid7 research

BleepingComputer

critical

Critical Authentication Bypass in Burst Statistics WordPress Plugin Actively Exploited (CVE-2026-8181)

Updated: May 15th, 2026

Category: WordPress

Source: Wordfence

Overview

A critical vulnerability in the Burst Statistics WordPress plugin allows attackers to take over websites as an administrator without needing to log in. Burst Statistics is a privacy-focused analytics plugin used on roughly 200,000 WordPress sites as a lightweight alternative to Google Analytics.

The flaw, tracked as CVE-2026-8181, lets an unauthenticated attacker impersonate any known administrator account — or even create a brand-new administrator account — by sending specially crafted requests to the site. Attacks are already happening at scale: Wordfence reports blocking over 7,400 exploitation attempts in a single 24-hour period.

A fix is available in Burst Statistics version 3.4.2, released on May 12, 2026. Site owners should update immediately or temporarily disable the plugin.


What You Need to Know

  • What it is: An authentication bypass vulnerability — a flaw that lets an attacker act as a logged-in user without actually logging in. In this case, the attacker can act as a WordPress administrator, which is the highest level of access on the site.
  • Why it matters: Admin access on a WordPress site means the attacker can install backdoors, plant malware, redirect visitors to malicious sites, steal data from the site's database, create new admin accounts to keep access, and more. For an SMB, this can mean a defaced or hijacked website, customer data exposure, blocklisting by browsers and search engines, and reputational damage.
  • Who is affected: WordPress sites running the Burst Statistics plugin versions 3.4.0 or 3.4.1. Sites that do not use this plugin are not affected.
  • Exploitation status: Confirmed active exploitation. Wordfence has observed and blocked thousands of attacks targeting this vulnerability.
  • User interaction required: No. Exploitation does not require any action from a site administrator or visitor. An attacker only needs to know (or guess) a valid admin username — which is often discoverable from blog posts, comments, or public WordPress endpoints.
  • Patch status: Patched in Burst Statistics 3.4.2 (released May 12, 2026).
  • Important clarifications:
    • This is a flaw in the Burst Statistics plugin, not in WordPress core.
    • Wordfence estimates that, based on download numbers, roughly 115,000 sites may still be running a vulnerable version at the time of disclosure.
    • Knowing an admin username is enough — the attacker does not need a valid password.

Affected Products

  • Plugin: Burst Statistics for WordPress
  • Vulnerable versions: 3.4.0 and 3.4.1
  • Fixed version: 3.4.2 (released May 12, 2026)
  • Not affected: Sites not running the Burst Statistics plugin, or sites already updated to 3.4.2

Vendor Guidance (Wordfence / Plugin Vendor)

  • Update the Burst Statistics plugin to version 3.4.2 or later as soon as possible. Wordfence specifically calls out that updating to the latest version "as soon as possible is critical."
  • If you cannot update immediately, disable the Burst Statistics plugin on your site until you can apply the update.

Additional Best Practices

  • After updating, review your site's administrator accounts for any unfamiliar users and remove any you don't recognize — admin takeover via this flaw can include the creation of rogue admin accounts, which is described in the Wordfence advisory as a worst-case outcome of exploitation.

Notes

  • This is a product vulnerability in a third-party WordPress plugin, not a phishing campaign or a WordPress core issue.
  • No user interaction is required for exploitation.
  • Active exploitation is confirmed and ongoing at significant volume.
  • patch is available — the primary action is to update the plugin.

Additional Resources

Wordfence blog

Wordfence Threat Intelligence — CVE-2026-8181

WordPress.org plugin page — Burst Statistics

high

Microsoft Exchange Server Zero-Day Exploited in Attacks (CVE-2026-42897)

Updated: May 15th, 2026

Category: Microsoft

Source: Microsoft

Overview

Microsoft has disclosed a high-severity vulnerability in on-premises Microsoft Exchange Server that is being actively exploited in attacks. The flaw affects Outlook on the web (OWA) — the browser-based version of Outlook used to access an on-premises Exchange mailbox. An attacker can send a specially crafted email that, when opened in OWA under certain conditions, can run attacker-controlled JavaScript in the user's browser session. This is a type of attack known as cross-site scripting (XSS) — where malicious code runs inside a trusted website in the user's browser, potentially allowing the attacker to impersonate the user, read mail, or take other actions in their mailbox.

No permanent patch is available yet. Microsoft has released mitigations (temporary protective measures) that are applied automatically on most up-to-date Exchange servers through the Exchange Emergency Mitigation Service (EEMS).

This issue affects on-premises Exchange Server only. Exchange Online (the cloud mailbox service in Microsoft 365) is not listed as affected.


What You Need to Know

  • What it is: A spoofing / cross-site scripting (XSS) vulnerability in Outlook on the web (OWA) for on-premises Exchange Server, tracked as CVE-2026-42897.
  • Why it matters: Exchange is a frequent target for ransomware groups and state-sponsored attackers. Even though this flaw runs code in the browser rather than directly on the server, it can still be used to compromise mailboxes, steal information, or set up further attacks.
  • Who is affected: Organizations running on-premises Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE) — including fully up-to-date installations. Microsoft 365 / Exchange Online customers are not listed as affected.
  • Exploitation status: Confirmed active exploitation in attacks, according to Microsoft.
    User interaction required: Yes. A user must open the malicious email in Outlook on the web, and certain other conditions must be met. Users on the Outlook desktop client are not the trigger path described by Microsoft.
  • Patch status: No permanent patch yet. Microsoft has released mitigations through the Exchange Emergency Mitigation Service (EEMS) and the Exchange On-premises Mitigation Tool (EOMT) for air-gapped environments. Permanent updates are planned for Exchange SE RTM, Exchange 2016 CU23, and Exchange 2019 CU14/CU15 — but updates for Exchange 2016 and 2019 will only be delivered to customers enrolled in the Extended Security Updates (ESU) Period 2 program.
  • Important clarifications:
    Applying the mitigation will break some OWA features: Print Calendar in OWA, inline images in the OWA reading pane, and OWA Light (a deprecated layout). Microsoft suggests using the Outlook desktop client or sending images as attachments as workarounds.
    EEMS can only fetch new mitigations if the server is running an Exchange build from March 2023 or later. Older builds will need to apply the mitigation manually using EOMT.

Affected Products

  • Microsoft Exchange Server 2016 (on-premises)
  • Microsoft Exchange Server 2019 (on-premises)
  • Microsoft Exchange Server Subscription Edition (SE) (on-premises)
  • Not listed as affected: Exchange Online / Microsoft 365 hosted mailboxes

Recommended Actions

  • Vendor Guidance (Microsoft)
    • Enable the Exchange Emergency Mitigation Service (EEMS) if it is currently disabled. This is Microsoft's recommended fastest way to mitigate the issue. EEMS will apply the mitigation automatically on Exchange 2016, 2019, and SE servers with the Mailbox role.
    • Ensure your Exchange server is running a build from March 2023 or later so EEMS can retrieve the latest mitigation.
    • For air-gapped or disconnected environments, download the latest Exchange On-premises Mitigation Tool (EOMT) and apply the mitigation for CVE-2026-42897 from an elevated Exchange Management Shell, following the exact commands in Microsoft's Exchange Team blog post linked below.
    • Plan for the permanent update when Microsoft releases it, and confirm whether your organization is enrolled in the Exchange Server ESU Period 2 program if you are running Exchange 2016 or 2019, since the patch will only be delivered through ESU for those versions.
    • Be aware of the known side effects of the mitigation (OWA Print Calendar, inline images in OWA reading pane, OWA Light) and communicate the workarounds to users.
  • Additional Best Practices
    • Remind staff who use Outlook on the web to be cautious with unexpected emails until the permanent patch is applied — exploitation requires a user to open a malicious message in OWA.
    • Review the NSA / CISA Cybersecurity Information Sheet on Microsoft Exchange Server Security Best Practices (linked below) for broader Exchange hardening guidance.

Notes

  • This is a product vulnerability, not a phishing campaign — but user interaction (opening the email in OWA) is required for exploitation.
  • Active exploitation is confirmed by Microsoft.
  • No permanent patch is available at the time of writing — only mitigations.
  • Affects on-premises Exchange only; Exchange Online is not listed as affected.
  • Permanent patches for Exchange 2016 / 2019 will require enrollment in Microsoft's paid Extended Security Updates (ESU) Period 2 program.

Additional Resources

Microsoft Security Response Center advisory — CVE-2026-42897

Microsoft Exchange Team blog

NSA / CISA Cybersecurity Information Sheet — Microsoft Exchange Server Security Best Practices

none

Canvas Breach Confirmed; Schools Should Prepare for Follow-On Phishing and Extortion

Updated: May 11th, 2026

Category: Instructure

Source: Bitdefender

Overview

Instructure has confirmed that data was stolen in a cyberattack affecting its education platform environment. Instructure is best known for Canvas, a widely used online learning platform used by schools, colleges, and universities for coursework, grading, messaging, assignments, and student-teacher communication.

This is important because Canvas can hold more sensitive information than a typical school app. Depending on how an institution uses it, exposed data may include names, email addresses, student ID numbers, and private messages between users. That creates not only a privacy issue, but also a strong risk of convincing phishing, impersonation, and extortion attempts using real school context.

Follow-on reporting linked the incident to the ShinyHunters extortion group, which later claimed responsibility and reportedly defaced Canvas login portals for hundreds of institutions with ransom messages.


What to Know

  • Instructure confirmed it suffered a cyber incident and that data was stolen.
  • Instructure said the exposed information appears to include:
    • names
    • email addresses
    • student ID numbers
    • messages among users
  • Instructure said it has found no evidence so far that the breach involved:
    • passwords
    • dates of birth
    • government identifiers
    • financial information
  • Instructure said it deployed patches, increased monitoring, and rotated application keys as a precaution.
  • Customers must re-authorize API access so new application keys can be issued.
  • Reporting says attackers later defaced Canvas login portals for roughly 330 institutions and displayed extortion messages in the Canvas app for a short period.
  • Attackers threatened to leak stolen data if ransom demands were not met.
  • The exact full scope of affected institutions and data remains under investigation.

Why this matters for non-technical readers
This is not just a back-end IT problem.

If attackers have real student and staff details, they may be able to send very believable scam messages that appear to come from:

  • professors
  • advisors
  • registrars
  • disability or student support offices
  • financial aid teams
  • school IT help desks

Because those messages may reference real courses, names, or past conversations, they could be much more convincing than ordinary phishing emails.

Possible real-world risks include:

  • fake Canvas login emails
  • fake password reset or MFA prompts
  • scams about grades, tuition, or enrollment
  • impersonation of teachers, advisors, or support staff
  • exposure of sensitive personal conversations
  • reputational harm and emergency communications work for schools

Affected Products


Confirmed affected environment:

  • Instructure / Canvas platform customers

Most relevant audiences:

  • colleges and universities
  • K-12 school districts
  • online education providers
  • teaching hospitals and academic medical programs
  • institutions with heavy Canvas messaging, advising, or API integration use

Potential impact:

  • exposure of user identifying information
  • exposure of private messages
  • disruption to integrations due to API key rotation
  • increased phishing and social engineering risk
  • possible privacy, legal, and notification obligations
  • reputational damage and user trust issues

What is Confirmed vs. What is Still Being Reported

Confirmed by Instructure:

  • a cyber incident occurred
  • data was stolen
  • certain user information and messages were involved
  • patches were deployed
  • monitoring was increased
  • application keys were rotated
  • customers need to re-authorize API access

Reported or claimed, but not fully confirmed in vendor statements reviewed here:

  • the exact total number of affected institutions
  • the total number of affected individuals
  • the full categories of all stolen data
  • the exact technical method used in the intrusion
  • whether all publicly named institutions had the same level of exposure
  • the full extent of any later defacement activity

Best Practices for End Users

Advise users to:

  • be cautious with unexpected emails or texts about coursework, grades, aid, or account issues
  • avoid clicking login links in unsolicited messages
  • verify unusual requests through official school channels
  • report suspicious messages to school IT or security staff
  • use MFA wherever available
  • change passwords if they reused a school password elsewhere

Operational warning signs may include:

  • broken or suddenly unauthorized Canvas integrations
  • unusual login prompts or fake Canvas-themed pages
  • suspicious emails referencing real courses, instructors, or support issues
  • unusual bulk data export or admin activity
  • extortion or leak-threat communications
  • user reports of strange messages or account behavior

Notes

  • This is best treated as an active breach and extortion event, not just a routine software issue.
  • The most important near-term risk may be follow-on phishing and social engineering using real institutional context.
  • Even if an institution’s own internal network was not directly breached, stolen Canvas data could still be used to target its people.
  • Schools that use Canvas for sensitive advising, accommodation, or support communications should treat this as a potentially high-sensitivity incident.
  • The exact scope may change as Instructure’s investigation continues.

Additional Resources:

Bleeping Computer Coverage

TrendMicro Report

Bitdefender Technical Advisory

high

Ivanti EPMM Flaw Exploited as Zero-Day Requires Immediate Patching

Updated: May 11th, 2026

Category: Ivanti

Source: Ivanti

Overview

Ivanti has released security updates for five high-severity vulnerabilities in Ivanti Endpoint Manager Mobile, or EPMM, an on-premises mobile device management product. The most urgent issue, CVE-2026-6973, has seen very limited real-world exploitation, according to Ivanti. It allows a remotely authenticated user with administrative access to achieve remote code execution. Ivanti says only the on-prem EPMM product is affected, not Ivanti Neurons for MDM, Ivanti EPM, Ivanti Sentry, or other Ivanti products.


What to Know

  • The primary exploited flaw is CVE-2026-6973.
  • Ivanti rates CVE-2026-6973 as high severity, not critical.
  • Ivanti says successful exploitation requires admin authentication.
  • The impact of CVE-2026-6973 is remote code execution.
  • Ivanti says it is aware of a very limited number of customers exploited with CVE-2026-6973.
  • Ivanti recommends customers review accounts with admin rights and rotate those credentials where necessary.
  • Ivanti says customers previously exploited via CVE-2026-1281 and CVE-2026-1340 should rotate credentials, and that doing so significantly reduces risk from CVE-2026-6973.
  • Ivanti released fixes not only for CVE-2026-6973 but also for:
    • CVE-2026-5786
    • CVE-2026-5787
    • CVE-2026-5788
    • CVE-2026-7821
  • Ivanti says it is not aware of customers being exploited by those other four CVEs at the time of disclosure.
  • Ivanti notes that CVE-2026-7821 is unauthenticated, but customers are not at risk from it if they have not configured and are not using Apple Device Enrollment.
  • Ivanti says there are currently no reliable atomic indicators of compromise for these issues.

Affected Product/Versions

  • Ivanti Endpoint Manager Mobile, or EPMM, on-premises deployments

Affected versions:

  • EPMM 12.8.0.0 and prior

Resolved versions:

  • 12.6.1.1
  • 12.7.0.1
  • 12.8.0.1

Not affected, according to Ivanti:

  • Ivanti Neurons for MDM
  • Ivanti EPM
  • Ivanti Sentry
  • Other Ivanti products
  • Ivanti cloud solutions

Recommended Actions

Vendor Guidance

  • Update EPMM to one of the fixed versions immediately:
    • 12.6.1.1
    • 12.7.0.1
    • 12.8.0.1
  • Review accounts with admin rights.
  • Rotate admin credentials where necessary.
  • If you were previously exploited via CVE-2026-1281 or CVE-2026-1340, rotate credentials as Ivanti recommended earlier.
  • If you deploy a new Sentry server after updating EPMM, use one of the new Sentry versions:
    • 10.4.2
    • 10.5.1
    • 10.6.1

Additional Resources

CISA Alert

Ivanti Advisory

critical

MOVEit Automation Auth Bypass Requires Immediate Upgrade

Updated: May 7th, 2026

Category: Progress Software

Source: Progress Software

Overview


Progress Software has released security updates for two vulnerabilities in MOVEit Automation, an enterprise managed file transfer and workflow automation product used to schedule and manage file transfers between systems, cloud services, and external partners. The most serious issue, CVE-2026-4670, is a critical authentication bypass vulnerability that can be exploited remotely without privileges and without user interaction. Progress says upgrading with the full installer is the only way to remediate it.


What to Know

  • The primary issue is CVE-2026-4670, a critical authentication bypass vulnerability in MOVEit Automation.
  • Progress says it can be exploited remotely.
  • The vendor says exploitation does not require privileges on the target system.
  • The attack complexity is low and no user interaction is required.
  • Progress also fixed CVE-2026-5174, a high-severity privilege escalation vulnerability caused by improper input validation.
  • Progress strongly recommends upgrading to the latest patched version.
  • The vendor says using the full installer is the only way to remediate CVE-2026-4670.
  • Progress warns there will be an outage while the upgrade runs.

Affected Products


Progress says MOVEit Automation versions before the following releases are affected:

  • 2025.1.5
  • 2025.0.9
  • 2024.1.8

Recommended Actions

Vendor Guidance

  • Upgrade MOVEit Automation to a patched release immediately.
  • Use the full installer, as Progress says this is the only way to remediate the issue.
  • Plan for an outage during the upgrade process.
  • Review Progress’s bulletin for both CVE-2026-4670 and CVE-2026-5174 and ensure both fixes are applied.

Additional Resources

Progress security bulletin

high

DAEMON Tools Lite Supply Chain Breach Delivered Malware From Official Site

Updated: May 7th, 2026

Category: Disc Soft

Source: Disc Soft

Overview

Disc Soft, the maker of DAEMON Tools Lite, has confirmed that its infrastructure was breached and that some DAEMON Tools Lite installation packages were released in a compromised state.

DAEMON Tools is a Windows utility commonly used to mount disc image files and work with virtual drives. This is a software supply chain incident, meaning users could receive malware from an official vendor source. Disc Soft says the issue was limited to the free version of DAEMON Tools Lite, and Kaspersky has confirmed that the newly released version 12.6.0 is no longer malicious.


What to Know

  • The company says certain installation packages in its build environment were impacted and released in a compromised state.
  • According to Disc Soft, the issue was limited to the free version of DAEMON Tools Lite.
  • Disc Soft says paid versions of DAEMON Tools Lite, DAEMON Tools Pro, and DAEMON Tools Ultra were not affected.
  • Users who downloaded or installed the affected free DAEMON Tools Lite version since April 8 should treat their systems as potentially compromised.
  • Kaspersky reported that the trojanized installers were digitally signed and distributed from the official website.
  • Kaspersky says the malware chain included an information stealer and, for some victims, a second-stage backdoor.
  • In at least one case, Kaspersky observed deployment of QUIC RAT.
    • QUIC RAT is a remote access trojan that can help attackers control an infected device.
  • Disc Soft released DAEMON Tools Lite version 12.6 on May 5.
  • Kaspersky says version 12.6.0.2445 no longer shows the malicious behavior.

Affected Products

Disc Soft says the incident affected:

  • Free DAEMON Tools Lite version 12.5.1

Disc Soft advises action for:

  • Users who downloaded or installed DAEMON Tools Lite 12.5.1 free since April 8

Kaspersky reporting references compromised installer versions ranging from:

  • 12.5.0.2421 through 12.5.0.2434

Not affected, according to Disc Soft:

  • Paid versions of DAEMON Tools Lite
  • DAEMON Tools Pro
  • DAEMON Tools Ultra

Fixed / clean version

  • DAEMON Tools Lite 12.6
  • Kaspersky specifically says 12.6.0.2445 no longer exhibits malicious behavior

Recommended Actions

Vendor Guidance

  • Uninstall DAEMON Tools Lite 12.5.1 free if it was downloaded or installed since April 8.
  • Run a full system scan using antivirus or other security software.
  • Install the latest DAEMON Tools Lite version 12.6 from the official website.
  • Do not continue using the older compromised build.

Additional Resources

Disc Soft incident notice

Kaspersky report

high

Cisco Network Orchestration Flaw Can Force Manual Reboots

Updated: May 7th, 2026

Category: Cisco

Source: Cisco

Overview

Cisco has released security updates for a denial-of-service vulnerability affecting Cisco Crosswork Network Controller and Cisco Network Services Orchestrator. A successful attack can make the affected system unresponsive, and Cisco says a manual reboot is required to recover. This is mainly relevant to larger enterprises, service providers, and organizations that use Cisco network orchestration platforms.


What to Know

  • The vulnerability is tracked as CVE-2026-20188.
  • Cisco says the issue is caused by inadequate rate limiting on incoming network connections.
  • The flaw can be exploited remotely by an unauthenticated attacker.
  • A successful exploit can exhaust connection resources and make the system unresponsive.
  • Cisco says a manual reboot is required to recover from the denial-of-service condition.
  • Cisco strongly recommends upgrading to the fixed software.
  • Cisco says it is not aware of active exploitation.

Affected Products


Cisco Crosswork Network Controller:

  • Release 7.1 and earlier: vulnerable; migrate to a fixed release
  • Release 7.2: not vulnerable

Cisco Network Services Orchestrator:

  • Release 6.3 and earlier: vulnerable; migrate to a fixed release
  • Release 6.4: fixed in 6.4.1.3
  • Release 6.5: not vulnerable

Recommended Actions

Vendor Guidance

  • Upgrade to the fixed software version recommended by Cisco.
  • For Cisco CNC 7.1 and earlier, migrate to a fixed release.
  • For Cisco NSO 6.4, upgrade to version 6.4.1.3.
  • If you run Cisco NSO 6.3 and earlier, migrate to a fixed release.
  • Review Cisco’s advisory for product-specific upgrade guidance.

Notes

  • Cisco says it is not aware of active exploitation.
  • This is a denial-of-service issue, not a remote code execution flaw.
  • The products affected are specialized orchestration platforms and are not commonly used in typical small business environments.

Additional Resources

Cisco Advisory

none

Fake Claude Site Delivers Windows Backdoor Malware

Updated: May 7th, 2026

Category: Malware

Source: Malwarebytes

Overview

Researchers have identified a fake Claude-themed website distributing a malicious Windows installer that gives attackers remote access to infected systems. This is not a vulnerability in Claude itself. Instead, it is a brand-impersonation campaign that uses a fake download page to trick users into installing malware.


What to Know

  • The campaign uses the fake domain claude-pro[.]com to impersonate Claude and deliver a malicious Windows download.
  • The installer is presented as a Claude-related product, but it installs malware in the background.
  • According to the reporting provided, the malware can give attackers remote access to the infected computer.
  • This is a social engineering and malware delivery issue, not a software flaw in Claude.
  • The campaign appears aimed at Windows users who download software from unofficial sites.
  • The reported malware chain includes files placed in the Startup folder to help it persist after reboot.
  • Researchers say the malware supports attacker actions such as command execution and file transfer.
  • The source notes that the presence of files named with “NOVupdate” is a strong sign of compromise.

Important scope note:

  • This does not indicate a compromise of Claude’s legitimate service.
  • Risk depends on a user visiting the fake site and running the downloaded installer.
  • The issue is most relevant to Windows endpoints and organizations with users likely to test AI tools or developer utilities.

Recommended Actions

  • Download Claude only from the official source.
  • Avoid clicking sponsored search results when downloading software, especially AI tools, security tools, or developer utilities.
  • If a user downloaded a Claude-related installer from a non-official site, treat the endpoint as potentially compromised.
  • If a user reports installing a Claude-related package from a non-official source, isolate the device and investigate promptly.

Notes

  • This is an impersonation and malware campaign, not a Claude product vulnerability.
  • The attack relies on user download and execution of a malicious file.
  • “NOVupdate” files are described in reporting as a strong indication of compromise.

 

critical

Palo Alto Firewall Zero-Day Is Under Active Exploitation

Updated: May 7th, 2026

Category: Palo Alto

Source: Palo Alto

Overview

Palo Alto Networks has disclosed active exploitation of a critical zero-day vulnerability in PAN-OS firewalls. The flaw affects the User-ID Authentication Portal, also called the Captive Portal, and can allow an unauthenticated attacker to run code with root privileges on exposed devices. This is especially serious because firewalls sit at the network edge and help protect access to internal systems.


What to Know

  • The vulnerability is tracked as CVE-2026-0300.
  • Palo Alto says the flaw is a buffer overflow in the PAN-OS User-ID Authentication Portal.
  • The issue can allow unauthenticated remote code execution with root privileges.
    • In plain English, that means an attacker may be able to take control of an exposed firewall without logging in.
  • Unit 42 says it is tracking the activity cluster as CL-STA-1132 and describes it as likely state-sponsored.
  • Palo Alto says exploitation attempts began on April 9, 2026, with successful compromise observed about a week later.
  • After exploitation, the attackers reportedly injected shellcode and then cleaned logs to reduce detection.
  • Palo Alto says the attackers deployed Earthworm and ReverseSocks5 tunneling tools on compromised firewalls.
  • CISA has added CVE-2026-0300 to the Known Exploited Vulnerabilities catalog.
  • At the time of the reporting provided, Palo Alto said patches were still in progress and advised immediate mitigation.

Affected Devices

  • Internet-exposed PA-Series firewalls running PAN-OS with the User-ID Authentication Portal enabled
  • Internet-exposed VM-Series firewalls running PAN-OS with the User-ID Authentication Portal enabled

Not affected, according to Palo Alto:

  • Cloud NGFW
  • Panorama appliances

Important scope note:

  • Exposure depends on whether the User-ID Authentication Portal is enabled and reachable from untrusted networks.
  • Organizations using Palo Alto firewalls without this portal exposed may have lower direct risk.
  • This is primarily an edge-device risk, so internet-facing deployments should be prioritized.

Recommended Actions

Vendor Guidance

  • Restrict access to the PAN-OS User-ID Authentication Portal to trusted zones only.
  • If that is not possible, disable the portal until patches are available.
  • Check whether the vulnerable service is enabled under:
    • Device > User Identification > Authentication Portal Settings > Enable Authentication Portal
  • Monitor Palo Alto Networks for patch availability and apply updates as soon as released.

Indicators of Compromise (IoCs)

Based on Palo Alto’s reporting, defenders should look for:

  • evidence of shellcode injection
  • deleted nginx crash entries or crash records
  • deleted crash core dump files
  • cleared crash kernel messages
  • presence of Earthworm
  • presence of ReverseSocks5
  • unusual tunneling or SOCKS proxy behavior originating from the firewall

Notes

  • Active exploitation is confirmed by Palo Alto Networks.
  • CISA has added the flaw to the KEV catalog.
  • Palo Alto describes the activity as limited but likely state-sponsored.
  • This issue affects the Captive Portal component, not all Palo Alto products broadly.

Additional Resources

Palo Alto Advisory

Palo Alto Security Advisories 

critical

cPanel and WHM Zero-Day Auth Bypass Is Under Active Exploitation

Updated: April 30th, 2026

Category: cPanel

Source: cPanel

Overview

cPanel has released a security update for a critical authentication bypass vulnerability affecting cPanel software, including cPanel & WHM, WP Squared, and DNSOnly. An authentication bypass flaw can let an attacker gain access without a normal login. cPanel says all versions after 11.40 may be affected, and organizations should update immediately or apply temporary mitigations if they cannot patch right away.


What to Know

  • The vulnerability is tracked as CVE-2026-41940.
  • cPanel describes it as an authentication bypass issue.
    • In plain English, that means the software may accept access that should have been blocked.
  • cPanel says the issue affects cPanel software, including DNSOnly.
  • The vendor says all versions after 11.40 are affected.
  • cPanel has released patches for supported versions and a fixed version for WP Squared.
  • After updating, cPanel says administrators should verify the installed version and restart the cpsrvd service.
  • If a server cannot be updated immediately, cPanel recommends blocking inbound traffic on specific ports or stopping key cPanel services.
  • If a server is on an unsupported version that is not eligible for the patch, cPanel warns it may also be affected and should be upgraded as soon as possible.

Affected Products

  • cPanel software, including DNSOnly, affecting versions after 11.40
  • Patched cPanel & WHM versions:
    • 11.86.0.41
    • 11.110.0.97
    • 11.118.0.63
    • 11.126.0.54
    • 11.130.0.18
    • 11.132.0.29
    • 11.134.0.20
    • 11.136.0.5
  • Patched WP Squared version:
    • 136.1.7

Recommended Actions

Vendor Guidance

  • Update affected servers immediately using the cPanel update script:
    • /scripts/upcp --force
  • After the update, verify the installed cPanel version:
    • /usr/local/cpanel/cpanel -V
  • Restart the cPanel service:
    • /scripts/restartsrv_cpsrvd
  • Identify any servers where cPanel updates are disabled or pinned to a specific version, and update those manually as a priority.
  • If you cannot update immediately, apply one of these vendor-recommended mitigations:
    • Block inbound traffic on ports 2083, 2087, 2095, and 2096 at the firewall, or
    • Stop cpsrvd and cpdavd
  • If your server is on an unsupported version not eligible for the patch, work toward upgrading as soon as possible because it may also be affected.
  • A supporting third-party detection and validation script has been published by watchTowr.
  • The cPanel advisory also notes that a detection script was added, and readers should use the official advisory page for vendor-provided guidance.

Additional Resources

cPanel Security Advisory

Rapid7 analysis

watchTowr supporting technical resource

critical

Breeze Cache WordPress Flaw Is Under Active Exploitation

Updated: April 30th, 2026

Category: WordPress

Source: Wordfence

Overview
A critical vulnerability in the Breeze Cache plugin for WordPress is being actively exploited, according to Wordfence. The flaw can let an attacker upload arbitrary files to a website server without logging in. In plain English, that means a vulnerable site could be taken over if the plugin is installed in the affected configuration.


What to Know

  • The vulnerability is tracked as CVE-2026-3844.
  • It affects the Breeze Cache plugin for WordPress.
  • Wordfence says the flaw is being actively exploited.
  • The issue is an unauthenticated arbitrary file upload vulnerability.
  • That means an attacker may be able to upload a malicious file to the server without needing an account.
  • Successful exploitation could lead to remote code execution, meaning the attacker may be able to run code on the website server.
  • A fixed version is available: Breeze 2.4.5.
  • The vulnerable setting is the “Host Files Locally - Gravatars” add-on.
  • Wordfence says that option must be enabled for exploitation to succeed.
  • Wordfence also says that setting is not enabled by default.

Affected Products

  • WordPress sites using the Breeze Cache plugin
  • Affected versions: all versions up to and including 2.4.4
  • Fixed version: 2.4.5
  • Higher-risk condition: the “Host Files Locally - Gravatars” add-on is enabled

Recommended Actions

Vendor Guidance

Update the Breeze Cache plugin to version 2.4.5 as soon as possible.

  • If you cannot update immediately, disable the “Host Files Locally - Gravatars” setting.
  • Review the vendor and security advisory details to confirm whether your site is using the affected configuration.

Additional Resources

WordPress.org Breeze Cache plugin page

Wordfence Advisory

critical

Microsoft Issues Emergency Fix for Critical ASP.NET Core Flaw

Updated: April 23rd, 2026

Category: Microsoft

Source: Microsoft

Overview

Microsoft has released an emergency out-of-band update for a critical ASP.NET Core vulnerability that can let an unauthenticated attacker forge authentication data and gain elevated access in affected applications. This issue does not affect every Microsoft customer equally, but it is important for organizations that run ASP.NET Core apps using Data Protection for sign-ins, session handling, password reset links, or similar security features.


What to Know

  • The flaw is tracked as CVE-2026-40372.
  • It affects ASP.NET Core Data Protection, a feature developers use to protect sensitive data such as authentication cookies, antiforgery tokens, and other signed application data.
  • Microsoft says a regression in affected packages broke part of the validation process.
  • In plain English, that means some apps may incorrectly trust forged authentication data.
  • Microsoft says an attacker could use this to forge authentication cookies and gain SYSTEM privileges on affected devices.
  • Microsoft also says the flaw could allow file disclosure and data modification.
  • No exploitation is confirmed in the sources provided.
  • Updating alone may not fully clean up prior exposure if attackers obtained valid tokens during the vulnerable period.
  • Microsoft says some legitimately signed tokens issued during that window may remain valid after updating unless the Data Protection key ring is rotated.

Affected

  • Applications using affected versions of Microsoft.AspNetCore.DataProtection
  • Vulnerable package range: 10.0.0 through 10.0.6
  • Fixed version: 10.0.7

Examples of potentially affected protected data mentioned by Microsoft:

  • Authentication cookies
  • Antiforgery tokens
  • TempData
  • OpenID Connect state
  • Session refresh tokens
  • API keys
  • Password reset links

Important scope note:

  • This is an application-layer issue affecting ASP.NET Core apps that use the vulnerable Data Protection packages.
  • It is especially relevant to software vendors, SaaS providers, developers, and organizations running custom .NET applications.
  • Many SMBs would be affected only if they host or rely on a vulnerable application built on this component.

Recommended Actions

Vendor Guidance

  • Update the Microsoft.AspNetCore.DataProtection package to version 10.0.7 as soon as possible.
  • Redeploy affected applications after updating.
  • Review Microsoft’s guidance on affected packages, platforms, and application configurations.
  • Rotate the Data Protection key ring after updating if your application may have issued trusted tokens during the vulnerable window.
  • Review whether forged authentication may have resulted in issuance of legitimate tokens such as session refresh tokens, API keys, or password reset links.

Additional Resources

Microsoft advisory

Microsoft .NET Blog: .NET 10.0.7 OOB Security Update

.NET announcement

.NET 10.0.7 release notes

critical

Cisco Webex Customers May Need SSO Certificate Update

Updated: April 21st, 2026

Category: Cisco

Source: Cisco

Overview

Cisco has fixed a critical security flaw in Cisco Webex Services involving single sign-on, or SSO, the feature that lets users sign in through their organization’s identity system instead of a separate Webex password. Cisco says the flaw could have allowed a remote attacker with no privileges to impersonate any user in affected environments. The service-side issue has been addressed by Cisco, but some organizations still need to take action to avoid Webex sign-in problems.


What to Know

  • This is a vulnerability in Cisco Webex Services, specifically in SSO integration with Control Hub.
  • Cisco says the issue was caused by improper certificate validation, meaning Webex did not correctly verify certain digital trust information during authentication.
  • If exploited, the flaw could have allowed an unauthenticated remote attacker to impersonate any user in the service.
  • Cisco says it has already addressed the vulnerability in the cloud service.
  • Customer action is still required for affected organizations that use trust anchors with their SSO integration. (Trust anchors are trusted digital certificates used to verify that your organization’s sign-in system is legitimate.)
  • Those organizations should upload a new identity provider, or IdP, SAML certificate to Control Hub.
  • Cisco warns that failing to complete the update may cause service interruption.
  • Cisco says it is not aware of public announcements or malicious use of this vulnerability.
  • This is a product security issue, but the immediate business risk for many customers may be operational: users may be unable to sign in if the required certificate update is not completed.

Affected Products

  • Cisco Webex Services configured to use trust anchors within the SSO integration with Control Hub
  • Organizations using Webex SSO through an external identity provider
  • Potentially affected services may include:
    • Webex App new sign-ins on desktop, mobile, and web
    • Webex services in Control Hub, including Calling
    • Webex Meetings sites managed through Control Hub
    • Cisco Jabber, if integrated with SSO

Important scope note:

  • Cisco says only customers using trust anchors were affected by this vulnerability.
  • Customers can determine whether trust anchors are in use by reviewing their SSO configuration in Webex Control Hub.

Recommended Actions

Vendor Guidance

  • Check whether your Webex organization uses trust anchors in its SSO integration.
  • If affected, upload a new IdP SAML certificate to Control Hub.
  • Review SSO configuration and certificate status in Control Hub.
  • Test the SSO update before activating it.
  • If your identity provider supports only a single certificate, perform the change during a scheduled maintenance window.
  • If the update is not completed in time and users cannot sign in, use Cisco’s SSO self-recovery option to temporarily disable SSO and regain administrative access.
  • Contact Cisco TAC or your maintenance provider if you need additional assistance.

Notes

  • No user interaction is required for exploitation based on the advisory.
  • No active exploitation has been confirmed by Cisco.
  • Cisco says there are no workarounds that address the vulnerability.
  • Cisco’s Webex help documentation says SSO trust anchors will be removed on April 30, 2026, and warns that users may be unable to sign in if the certificate update is not completed before then.
  • If an organization’s IdP does not support multiple certificates, Cisco says new sign-ins may briefly fail during the certificate change, while existing sign-ins are preserved.

Additional Resources

Cisco Security Advisory

Cisco Webex Help

high

Microsoft April Patch Tuesday Includes Exploited SharePoint Zero-Day

Updated: April 21st, 2026

Category: Microsoft

Source: Microsoft

Overview

Microsoft’s April 2026 Patch Tuesday includes security fixes for many products, but the most important business risk is an actively exploited SharePoint Server vulnerability. Microsoft also fixed a publicly disclosed Microsoft Defender privilege escalation flaw and released broader Windows security updates. For most organizations, the immediate priority is to identify any affected SharePoint Server systems and apply updates quickly.


What to Know

  • Microsoft released April 2026 security updates covering a large number of vulnerabilities across its products.
  • One of the patched issues, CVE-2026-32201, is a SharePoint Server spoofing vulnerability that Microsoft says has been exploited in the wild.
  • “Spoofing” means an attacker may be able to make something appear trustworthy when it is not.
  • According to Microsoft, successful exploitation of CVE-2026-32201 could let an attacker view some sensitive information and make changes to disclosed information.
  • Microsoft also fixed CVE-2026-33825, a Microsoft Defender elevation of privilege vulnerability.
  • “Elevation of privilege” means a flaw that could let an attacker gain higher system permissions than they should have.
  • Microsoft says the Defender issue was publicly disclosed, but it is addressed through the Microsoft Defender Antimalware Platform update.
  • The Windows cumulative updates released this month include security fixes and should be deployed through normal patching processes.
  • This is a vulnerability issue, not a phishing campaign.
  • Based on the sources provided, exploitation is confirmed for the SharePoint flaw, publicly disclosed for the Defender flaw, and not stated here for the broader Windows cumulative update.

Affected Products

  • Microsoft SharePoint Server affected by CVE-2026-32201
  • Microsoft Defender Antimalware Platform affected by CVE-2026-33825
  • Windows systems receiving the April 14, 2026 cumulative updates, including KB5083769 for supported Windows 11 builds listed by Microsoft

Recommended Actions

Vendor Guidance

  • Review Microsoft’s advisory for CVE-2026-32201 and apply the relevant SharePoint security updates as soon as possible.
  • Check whether your organization runs on-premises Microsoft SharePoint Server and prioritize those systems.
  • Verify that Microsoft Defender Antimalware Platform is updated to version 4.18.26030.3011 or later, as referenced by Microsoft for CVE-2026-33825.
  • Use Microsoft’s April 14, 2026 Windows cumulative updates, including KB5083769 where applicable, as part of regular patch deployment.
  • Follow Microsoft’s official update guidance for the specific Windows build and product versions in your environment.

high

Adobe Emergency Update Fixes Exploited Acrobat, Reader Zero-Day

Updated: April 21st, 2026

Category: Adobe

Source: Adobe

Overview

Adobe has released an emergency security update for Acrobat and Acrobat Reader to fix a zero-day vulnerability that has been exploited in the wild. The flaw involves a sandbox bypass, meaning a malicious PDF may be able to break out of normal security restrictions in the software. For businesses, this matters because PDF files are widely used in day-to-day work, and opening a malicious file could expose sensitive local data.


What to Know

  • Adobe says CVE-2026-34621 affects Acrobat and Acrobat Reader on Windows and macOS.
  • The flaw is a sandbox bypass.
  • A “sandbox” is a security feature designed to isolate risky content and limit what a file can do on a device.
  • If that protection is bypassed, a malicious PDF may gain access to functions it should not be able to use.
  • Adobe says the vulnerability has been exploited in the wild.
  • Based on the reporting provided, the observed exploit allowed attackers to read and steal files from the affected device.
  • User interaction is required in the sense that the victim must open the malicious PDF.
  • Adobe did not list a workaround in its bulletin; updating is the recommended fix.

Affected Products

  • Acrobat DC version 26.001.21367 and earlier
    • Fixed in version 26.001.21411
  • Acrobat Reader DC version 26.001.21367 and earlier
    • Fixed in version 26.001.21411
  • Acrobat 2024 version 24.001.30356 and earlier on Windows
    • Fixed in version 24.001.30362
  • Acrobat 2024 version 24.001.30356 and earlier on macOS
    • Fixed in version 24.001.30360

Recommended Actions

Vendor Guidance

  • Update affected Adobe Acrobat and Acrobat Reader products to the fixed versions listed in Adobe’s bulletin.
  • Use the application’s built-in update option through Help > Check for Updates, or deploy the vendor-provided update through your normal software management process.
  • Review Adobe’s official bulletin for affected versions and remediation details.

Notes

  • Active exploitation is confirmed by Adobe.
  • This issue begins with a malicious PDF file being opened.
  • Adobe’s bulletin does not list a workaround or mitigation other than applying the update.

Additional Resources

Adobe Security Bulletin

Adobe Reader Download Page

high

Microsoft Releases Emergency Windows Server Updates After April Patch Issues

Updated: April 21st, 2026

Category: Microsoft

Source: Microsoft

Overview


Microsoft has released emergency out-of-band updates for several Windows Server versions after the April 2026 security updates caused serious problems on some systems. The most important issue for businesses is that some servers acting as domain controllers began restarting repeatedly after update-related crashes in the Local Security Authority Subsystem Service, or LSASS, a core Windows process used for logins and authentication. This is an operational update issue, not a newly disclosed vulnerability, but it can disrupt access to business systems and services.


What to Know

  • Microsoft says out-of-band updates were released on April 19, 2026, to fix issues introduced by the April 2026 Windows security update.
  • Some Windows Server systems may experience repeated restarts after installing the April updates.
  • The affected scenario is especially important for domain controllers, which handle user logins, authentication, and access across business networks.
  • Microsoft says the restart issue is tied to LSASS crashes.
  • LSASS is a core Windows security process that helps manage sign-ins and authentication.
  • Microsoft also says a limited number of Windows Server 2025 devices may fail when installing the April 2026 security update KB5082063.
  • For Windows Server 2025, the emergency update addresses both the installation failure issue and the domain controller restart issue.
  • For other supported Windows Server versions listed by Microsoft, the emergency updates address the domain controller restart issue.
  • This is an update stability and operations issue, not an actively exploited security flaw in the sources provided.

Affected Items

  • Windows Server 2025
  • Windows Server, version 23H2
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2025 Datacenter: Azure Edition
  • Windows Server 2022 Datacenter: Azure Edition

Important scope note:

  • The installation failure issue is specifically noted for a limited number of Windows Server 2025 devices.
  • The domain controller restart problem affects some versions of Windows Server after the April 2026 security update.
  • Organizations without affected on-premises or hosted Windows Server systems may have little or no direct impact.

Recommended Actions

Vendor Guidance

  • Review Microsoft’s April 19, 2026 Windows Message Center notice for the affected server versions and corresponding out-of-band updates.
  • If you run Windows Server 2025, install KB5091157 to address both the installation failure issue and the domain controller restart issue.
  • If you run other affected supported Windows Server versions, install the matching out-of-band update Microsoft lists for your platform.
  • If you use Azure Edition hotpatch systems, apply the corresponding hotpatch out-of-band update listed by Microsoft.
  • Follow the installation guidance in the relevant Microsoft KB article for your server version.

critical

Fortinet Releases Emergency Patch for Actively Exploited FortiClient EMS Flaw

Updated: April 13th, 2026

Category: Fortinet

Source: Fortinet

Overview

Fortinet has released an emergency fix for a critical vulnerability in FortiClient Enterprise Management Server, or EMS. FortiClient EMS is a centralized management server used to manage FortiClient deployments. Fortinet says the flaw is being actively exploited in the wild. This is a product vulnerability, not a phishing issue, and affected organizations should apply the vendor hotfix immediately.


What to Know

  • The vulnerability is tracked as CVE-2026-35616.
  • Fortinet describes it as an improper access control issue.
  • The flaw can allow an unauthenticated attacker to execute code or commands using specially crafted requests.
  • Unauthenticated means the attacker does not need to log in first.
  • Exploitation status: confirmed. Fortinet says it has observed the vulnerability being exploited in the wild.
  • Patch status: hotfixes are available now for affected versions.
  • Fortinet says the issue affects FortiClient EMS 7.4.5 and 7.4.6.
  • Fortinet says FortiClient EMS 7.2 is not affected.
  • Fortinet also says the fix will be included in FortiClient EMS 7.4.7 when it becomes available.

Affected Products

  • FortiClient EMS 7.4.5
  • FortiClient EMS 7.4.6

Not affected, based on the provided sources:

  • FortiClient EMS 7.2

Recommended Actions

Vendor Guidance

  • Install the Fortinet hotfix immediately if you are running FortiClient EMS 7.4.5 or 7.4.6.
  • Upgrade to FortiClient EMS 7.4.7 when it becomes available if that is your standard update path.

For affected systems

  • Identify any FortiClient EMS servers running version 7.4.5 or 7.4.6.
  • Prioritize internet-exposed or externally reachable EMS deployments for immediate remediation.
  • Apply the version-specific Fortinet hotfix provided in the official release notes.

Additional Best Practices

  • Confirm whether FortiClient EMS management servers are exposed to the internet or otherwise reachable from untrusted networks.
  • After patching, review server and security logs for unusual requests or unexpected command execution activity.
  • If you suspect compromise, engage your IT team, MSSP, or incident response provider to assess the server before returning it to normal operation.

Additional Resources

FortiClient EMS 7.4.5 hotfix release notes

FortiClient EMS 7.4.6 hotfix release notes

high

Microsoft Warns of “Payroll Pirate” Attacks Targeting Canadian Employees

Updated: April 13th, 2026

Category: Microsoft

Source: Microsoft

Overview

Microsoft says a financially motivated threat actor it tracks as Storm-2755 is targeting Canadian employees in an effort to hijack payroll payments. This is not a software flaw or patch issue. The campaign starts with user interaction: victims are lured through malicious search results to a fake Microsoft 365 sign-in page, where attackers steal credentials and session tokens. Microsoft says the attackers then use that access to impersonate employees and try to redirect direct-deposit payments to attacker-controlled bank accounts.


What to Know

  • This is a credential phishing and session hijacking campaign, not a product vulnerability.
  • Microsoft says the activity targets Canadian users broadly rather than a single industry.
  • The campaign uses SEO poisoning and malvertising. In plain English, attackers try to place malicious links high in search results for terms like “Office 365” so users click them.
  • Victims are sent to a fake Microsoft 365 login page designed to steal credentials and authentication tokens.
  • Microsoft says the attackers use an adversary-in-the-middle, or AiTM, technique. This means the attacker sits between the user and the real login service to capture an already authenticated session.
  • Because the attackers steal valid session tokens, they may be able to bypass traditional multifactor authentication that is not phishing-resistant.
  • After getting access, Microsoft says the attackers searched for payroll and HR-related resources, created inbox rules to hide related emails, and in some cases tried to change payroll details.
  • Microsoft reports direct financial loss in at least one observed case.
  • Exploitation status: confirmed. Microsoft says it observed this campaign affecting Canadian users.
  • Patch status: there is no software patch because this is not described as a product flaw. The main defenses are identity protections, session controls, monitoring, and user awareness.

Who's Affected

  • Canadian employees and organizations targeted through fake Microsoft 365 login pages
  • Organizations using Microsoft 365
  • Organizations with online HR and payroll workflows
  • Microsoft specifically notes that the attackers may pivot to HR and payroll SaaS platforms such as Workday

Recommended Actions

Vendor Guidance

For affected accounts
  • Revoke compromised tokens and sessions immediately.
  • Remove malicious inbox rules.
  • Reset credentials and MFA methods for affected accounts.

For general defense

  • Enforce device compliance through Conditional Access policies.
  • Implement phishing-resistant MFA.
  • Block legacy authentication protocols.
  • Use a SIEM or similar logging capability to establish a baseline of regular and irregular activity.
  • Enable Microsoft Defender to help disrupt attacks, revoke tokens in real time, monitor for unusual user-agents such as Axios, and audit OAuth applications.
  • Run phishing simulation campaigns to improve user awareness.
  • Use Conditional Access policies to configure adaptive session lifetime policies.
  • Leverage continuous access evaluation (CAE).
  • Consider Global Secure Access (GSA) as a complementary network control path.
  • Create alerting for suspicious inbox-rule creation.
  • Use Microsoft Intune compliance policies with Conditional Access to help restrict access to compliant devices.

Additional Best Practices

  • Warn staff not to search for Microsoft 365 or payroll portals through ads or unfamiliar search results when they can use saved bookmarks or known direct links instead.
  • Tell HR, payroll, and finance teams to treat unexpected direct-deposit change requests with extra caution and verify them through a separate trusted channel.
  • Review whether employees can change payroll details through self-service portals and whether additional verification is required for bank account changes.
  • If you suspect compromise, review account activity outside normal work hours and check for hidden or suspicious inbox rules.

Indicators of Compromise (IoCs)

Microsoft’s blog includes specific indicators that may help defenders investigate suspicious activity.

What they are:

  • bluegraintours[.]com — a malicious website Microsoft says was used to steal user tokens
  • axios/1.7.9 — a user-agent string Microsoft says was observed during the AiTM activity
  • A sign-in pattern involving multiple failed sign-ins, followed by Microsoft Entra error code 50199, then a successful sign-in with the session ID unchanged but the user-agent changed to Axios

Why they matter:

  • These signs may indicate that a user was tricked by the fake login page and that the attacker replayed a stolen authenticated session.

What to do if you see them:

  • Treat the account as potentially compromised.
  • Revoke sessions and tokens immediately.
  • Reset the user’s password and MFA methods.
  • Check for suspicious inbox rules and payroll-related account changes.
  • Review related HR and payroll systems for unauthorized changes.

Notes

  • User interaction is required early in the attack chain: the victim must click a malicious result and sign in to a fake Microsoft 365 page.
  • This is not a product flaw; it is a phishing and session hijacking campaign.
  • Exploitation is confirmed by Microsoft.
  • The direct financial impact described in the source is payroll redirection.

Additional Resources

Microsoft Security Blog

 

high

Iranian-Linked Cyber Activity Targets Internet-Exposed Rockwell / Allen-Bradley PLCs in the U.S.

Updated: April 13th, 2026

Category: Rockwell

Source: Joint Cybersecurity Advisory

Overview

U.S. federal agencies are warning that Iranian-affiliated cyber actors are actively targeting internet-exposed Rockwell Automation / Allen-Bradley programmable logic controllers, or PLCs. PLCs are industrial devices used to control equipment and processes in environments such as water systems, energy operations, manufacturing, and other critical infrastructure. This is not a routine IT issue or a general phishing alert. It is an operational technology threat that has already been linked to disruption and financial loss.


What to Know

  • This is a targeted cyber campaign against operational technology, also called OT, rather than a newly announced product flaw.
  • The joint U.S. advisory says Iranian-affiliated actors have targeted internet-facing Rockwell Automation / Allen-Bradley PLCs since at least March 2026.
  • The advisory says the activity has caused operational disruption and financial losses.
  • The FBI identified activity that included extracting device project files and manipulating data shown on HMI and SCADA displays.
  • HMI and SCADA are systems used by operators to monitor and manage industrial processes. If those displays are manipulated, operators may be shown false or misleading information.
  • The advisory highlights greatest concern for organizations with internet-exposed PLCs.
  • Censys says it found 5,219 internet-exposed Rockwell / Allen-Bradley hosts globally, including 3,891 in the United States.
  • Exploitation status: confirmed. The government advisory describes this as active malicious targeting, not just theoretical risk.
  • This is not presented as a broad risk to all businesses. The direct concern is highest for organizations using exposed industrial control equipment.

Affected Devices/Organizations

  • Organizations using internet-facing Rockwell Automation / Allen-Bradley PLCs
  • U.S. critical infrastructure organizations, especially those in:
    • Government Services and Facilities
    • Water and Wastewater Systems
    • Energy
  • Other industrial or field-deployed environments that expose PLCs directly to the internet, including over cellular connections
  • Organizations using HMI and SCADA environments connected to exposed OT devices

Recommended Actions

Vendor Guidance

  • Disconnect PLCs from the public internet where possible.
  • Place PLCs behind a firewall if they cannot be disconnected.
  • Enforce multifactor authentication for access to OT networks.
  • Keep PLC devices up to date.
  • Disable unused services and authentication methods.
  • Review logs for signs of malicious activity.
  • Monitor for suspicious traffic on OT ports, especially traffic originating from overseas hosting providers.

Notes

  • Active malicious targeting is confirmed by a joint U.S. government advisory.
  • The direct risk is for organizations with internet-exposed Rockwell / Allen-Bradley PLCs.
  • User interaction is not the main issue; exposure of industrial devices to the internet is the key risk.

Additional Resources

Censys research

critical

Ninja Forms File Uploads Flaw Enables Unauthenticated Malicious File Uploads on WordPress Sites

Updated: April 13th, 2026

Category: WordPress

Source: Wordfence

Overview

A critical vulnerability in the Ninja Forms File Uploads add-on for WordPress can allow an attacker to upload malicious files to a website without logging in. In practical terms, that could let an attacker place harmful code on the server and potentially take control of the site. This is a product vulnerability, not a phishing issue.


What to Know

  • This is a vulnerability in the Ninja Forms File Uploads plugin, a premium add-on used with WordPress.
  • The issue is tracked as CVE-2026-0740.
  • It is an unauthenticated arbitrary file upload flaw, which means an attacker may be able to send a dangerous file to the site without needing an account.
  • Wordfence says the flaw can make remote code execution possible. Remote code execution means an attacker may be able to run their own code on the web server.
  • According to Wordfence, the vulnerability affects all versions up to and including 3.3.26.
  • Wordfence says version 3.3.25 only partially fixed the issue, and version 3.3.27 fully patched it.
  • Exploitation status: active attack attempts are confirmed. Wordfence reported blocking 10,946 attacks targeting this vulnerability in the past 24 hours.
  • The sources provided do not confirm how many websites, if any, were successfully compromised.
  • This does not appear to be a WordPress core issue.
  • This is not simply a problem with the main Ninja Forms plugin listing on WordPress.org; the risk centers on the File Uploads add-on.

Affected

  • WordPress sites using Ninja Forms File Uploads
  • Affected versions: all versions up to and including 3.3.26
  • Fixed version: 3.3.27
  • WordPress sites that do not use the File Uploads add-on are not directly affected based on the sources provided

Recommended Actions

Vendor Guidance

  • Update Ninja Forms File Uploads to version 3.3.27 or a newer patched version.
  • Confirm whether your site has the Ninja Forms File Uploads add-on installed, even if you already use the main Ninja Forms plugin.

Additional Resources

Main Ninja Forms WordPress.org page

high

Smart Slider 3 WordPress Plugin Flaw Could Expose Sensitive Files on Business Websites

Updated: April 2nd, 2026

Category: WordPress

Source: Wordfence

Overview

A vulnerability in the Smart Slider 3 WordPress plugin could let a basic logged-in user read sensitive files from the server. This is a product vulnerability in a WordPress plugin, not a phishing issue.

For businesses, the main concern is that an attacker with a low-level account, such as a subscriber, may be able to access files like wp-config.php, which can contain database credentials and important WordPress security keys. That can increase the risk of data theft and even full website takeover.


What to Know

  • This affects the Smart Slider 3 plugin for WordPress.
  • The issue is tracked as CVE-2026-3098.
  • According to Wordfence, the flaw is caused by missing permission checks in certain AJAX export actions.
  • In plain English, this means a logged-in user who should not have this level of access may be able to export and read files from the server.
  • Wordfence says the flaw can be exploited by authenticated users, including subscriber-level users.
  • That matters because many business websites allow account creation for customers, members, subscribers, students, or partners.
  • Sensitive files may include wp-config.php, which can contain:
    • database credentials
    • authentication keys
    • cryptographic salts used to protect sessions and logins
  • Exploitation status: no active exploitation is confirmed in the provided sources.
  • Patch status: fixed in Smart Slider 3 version 3.5.1.34.
  • User interaction: exploitation requires a logged-in account. This is not described as an anonymous internet-wide attack based on the provided sources.
  • This is not a WordPress core flaw. It is specific to the Smart Slider 3 plugin.

Affected Products

According to the provided source material:

  • Affected plugin: Smart Slider 3
  • Affected versions: all versions through 3.5.1.33
  • Fixed version: 3.5.1.34

Highest-risk environments include:

  • WordPress sites using Smart Slider 3
  • Sites that allow user registration
  • Membership, subscription, customer portal, or community sites
  • Any environment where low-privilege users can obtain a valid login

Recommended Actions

Vendor Guidance

  • Update Smart Slider 3 to version 3.5.1.34 or later.
  • Review the plugin’s official WordPress.org page or developer release information to confirm you are on the fixed version.

Additional Resources

WordPress Smart Slider 3 Plugin Page

critical

Citrix NetScaler Memory Disclosure Flaw Is Being Exploited to Expose Sensitive Session Data

Updated: April 2nd, 2026

Category: Citrix

Source: watchTowr Labs

Overview

Citrix has patched a critical vulnerability in NetScaler ADC and NetScaler Gateway tracked as CVE-2026-3055. Citrix describes it as insufficient input validation leading to memory overread. In plain English, that means an attacker can make the appliance return pieces of data from memory that should never be exposed.

This is a product vulnerability, not a phishing issue. The issue is especially important because trusted third-party research says attackers are already exploiting it in the wild to extract sensitive information, including administrative session identifiers that could help take over affected appliances.


What to Know

  • This is a vulnerability in Citrix NetScaler ADC and NetScaler Gateway.
  • Citrix says the flaw affects appliances configured as a SAML identity provider, or SAML IdP.
  • A SAML identity provider is a system that handles logins for other services, so compromise can have broader identity and access impact.
  • Citrix rates CVE-2026-3055 as Critical.
  • The flaw can expose memory contents from the appliance.
  • Trusted third-party research from watchTowr says the exposed memory can include sensitive data such as authenticated administrative session IDs.
  • Exploitation status: exploitation is confirmed by third-party researchers. watchTowr says it observed in-the-wild exploitation beginning by at least March 27, 2026.
  • Citrix’s bulletin, as scraped here, does not state that exploitation is active.
  • Patch status: Citrix has released fixed versions.
  • User interaction is not required based on the vendor’s description and published research.
  • Scope clarification: Citrix says this bulletin applies to customer-managed NetScaler ADC and NetScaler Gateway. Citrix-managed cloud services and Citrix-managed Adaptive Authentication are upgraded by the vendor.

Affected Products

Citrix says CVE-2026-3055 affects the following supported versions:

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-60.58
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-62.23
  • NetScaler ADC FIPS and NDcPP before 13.1-37.262

Precondition for CVE-2026-3055:

  • The appliance must be configured as a SAML IdP

Citrix says administrators can check for that configuration by looking for:

  • add authentication samlIdPProfile .*

Recommended Actions

Vendor Guidance

  • Upgrade affected NetScaler ADC and NetScaler Gateway appliances as soon as possible.
  • Citrix lists the following fixed versions:
    • NetScaler ADC and NetScaler Gateway 14.1-60.58
    • NetScaler ADC and NetScaler Gateway 14.1-66.59 and later
    • NetScaler ADC and NetScaler Gateway 13.1-62.23 and later 13.1 releases
    • NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.262 and later
  • Confirm whether the appliance is configured as a SAML IdP by inspecting the configuration for:
    • add authentication samlIdPProfile .*
  • If you need help with the update, contact Citrix Technical Support.

Indicators of Compromise (IoCs)

What the IoCs are:

  • watchTowr says exploitation activity targeted the following endpoints:
    • /saml/login
    • /wsfed/passive?wctx
  • The research says exploitation can cause unexpected NSC_TASS cookie values containing leaked memory.
  • watchTowr also says unusual log messages may appear in /var/log/ns.log, particularly around malformed or incomplete SAML processing.

Why they matter:

  • These signs may indicate attempts to make the appliance leak memory.
  • The exposed memory may contain sensitive information, including active session data.

What readers should do if they see them:

  • Treat the appliance as potentially compromised.
  • Patch immediately if not already updated.
  • Review active admin sessions and authentication activity.
  • Consider incident response steps such as session invalidation, credential review, and deeper forensic investigation.

Additional Resources

Citrix Advisory

high

Google Patches Another Chrome Zero-Day Exploited in the Wild

Updated: April 2nd, 2026

Category: Chrome

Source: Google

Overview

Google has issued an emergency Chrome security update for CVE-2026-5281, a zero-day vulnerability that the company says is being exploited in the wild. A zero-day is a flaw attackers are already using before most users have installed a fix.

This is a product vulnerability in the Chrome browser, not a phishing campaign or social engineering issue. For businesses and everyday users, the main message is straightforward: update Chrome as soon as possible.


What to Know

  • Google says an exploit for CVE-2026-5281 exists in the wild.
  • The flaw has been described as a use-after-free vulnerability in Dawn, a Chromium component related to WebGPU.
  • A use-after-free flaw is a software memory bug that can lead to crashes, unstable behavior, or potentially more serious security impact.
  • This is an emergency, out-of-band update, meaning Google released it outside the normal update cycle.
  • Chrome is widely used in business environments, so the practical exposure can be broad.
  • User interaction: the available source material does not fully describe the attack chain, but browser vulnerabilities commonly require a user to browse to a malicious or compromised site.
  • Patch status: fixes have been released by Google.
  • Exploitation status: confirmed by Google. Google says an exploit exists in the wild.
  • Google has limited public technical details for now, which is common when active exploitation is involved.

Affected Products

Based on the source material provided, this affects Google Chrome desktop users who have not yet installed the latest security update.

Platforms mentioned in reporting include:

  • Windows
  • macOS
  • Linux

Recommended Actions

Vendor Guidance

  • Update Google Chrome immediately to the latest available stable desktop version.
  • If your browser has not updated yet, manually check for updates in Chrome and restart the browser to apply them.
  • Allow browser restarts where needed so the security update actually takes effect.

Additional Best Practices

  • Prioritize updates on employee systems used for email, web access, and cloud administration.
  • Make sure managed devices are receiving browser updates promptly through your endpoint or software management tools.
  • Remind users not to postpone browser restarts when security updates are pending.
  • If your organization uses Chromium-based browsers beyond Chrome, monitor vendor advisories for any related fixes.

Indicators of Compromise (IoCs)

No specific indicators of compromise were provided in the source material.

For most organizations, the most useful action is to confirm patching rather than look for highly technical signs of exploitation. If you suspect suspicious browser behavior on an unpatched system, such as unexplained crashes tied to web browsing or unusual endpoint activity after visiting a site, investigate the device and confirm it has been updated.

 

critical

Cisco IMC Authentication Bypass Could Give Remote Attackers Admin Access

Updated: April 2nd, 2026

Category: Cisco

Source: Cisco

Overview

Cisco has released security updates for a critical vulnerability in Cisco Integrated Management Controller, or IMC, the hardware-based server management feature used on certain Cisco systems. This is a product flaw, not a phishing or social engineering issue.

If a vulnerable IMC interface is reachable, an attacker could send a crafted web request, bypass authentication, change passwords for system users, and then log in as that user, including an administrator. This matters because IMC is an out-of-band management tool, meaning it can manage servers even when the main operating system is down.


What to Know

  • This is a vulnerability in Cisco IMC password change handling.
  • It is not a user-driven attack. No employee click or login is required for exploitation.
  • Cisco says an unauthenticated remote attacker could exploit it by sending a crafted HTTP request.
  • A successful attack could let the attacker:
    • bypass authentication
    • change passwords for any user on the system
    • gain Admin-level access
  • This is especially serious because IMC is a server management interface with deep control over affected systems.
  • Exploitation status: no exploitation is confirmed by Cisco at this time. Cisco says it is not aware of public announcements or malicious use.
  • Patch status: fixes are available.
  • Workaround status: Cisco says there are no workarounds.

Affected Products

Cisco says the vulnerability affects the following products if they are running a vulnerable release of Cisco IMC:

  • 5000 Series Enterprise Network Compute Systems (ENCS)
  • Catalyst 8300 Series Edge uCPE
  • UCS C-Series M5 and M6 Rack Servers in standalone mode
  • UCS E-Series Servers M3
  • UCS E-Series Servers M6

Cisco also says some preconfigured Cisco appliances built on affected UCS C-Series hardware are affected if they expose access to the Cisco IMC user interface. Cisco lists the following examples:

  • Application Policy Infrastructure Controller (APIC) Servers
  • Business Edition 6000 and 7000 Appliances
  • Catalyst Center Appliances
  • Cisco Telemetry Broker Appliances
  • Cloud Services Platform (CSP) 5000 Series
  • Common Services Platform Collector (CSPC) Appliances
  • Connected Mobile Experiences (CMX) Appliances
  • Connected Safety and Security UCS Platform Series Servers
  • Cyber Vision Center Appliances
  • Expressway Series Appliances
  • HyperFlex Edge Nodes
  • HyperFlex Nodes in HyperFlex Datacenter without Fabric Interconnect deployment mode
  • IEC6400 Edge Compute Appliances
  • IOS XRv 9000 Appliances
  • Meeting Server 1000 Appliances
  • Nexus Dashboard Appliances
  • Prime Infrastructure Appliances
  • Prime Network Registrar Jumpstart Appliances
  • Secure Endpoint Private Cloud Appliances
  • Secure Firewall Management Center Appliances
  • Secure Malware Analytics Appliances
  • Secure Network Analytics Appliances
  • Secure Network Server Appliances
  • Secure Workload Servers

Cisco says the following are confirmed not vulnerable:

  • UCS B-Series Blade Servers
  • UCS C-Series M7 and M8 Rack Servers in standalone mode
  • UCS C-Series Rack Servers with Fabric Interconnects in UCS Manager or Intersight Managed Mode
  • UCS S-Series Storage Servers
  • UCS X-Series Modular System
  • Unified Edge

Recommended Actions

Vendor Guidance

  • Identify whether your organization uses affected Cisco IMC-capable servers or appliances.
  • Upgrade to a fixed software release listed in Cisco’s advisory.
  • For 5000 Series ENCS and Catalyst 8300 Series Edge uCPE, Cisco says IMC is updated through Cisco Enterprise NFV Infrastructure Software, so organizations should follow the NFVIS fixed-release guidance.
  • For preconfigured Cisco appliances built on affected UCS hardware, follow Cisco’s product-specific remediation instructions in the advisory.
  • If you use affected Secure Firewall Management Center appliances, apply the Cisco hotfix referenced in the advisory.
  • If you use affected Secure Endpoint Private Cloud, Secure Malware Analytics, Secure Network Analytics, Secure Network Server, Telemetry Broker, or IEC6400 appliances, follow the specific remediation path Cisco provides for those platforms.
  • If you are unsure which fixed release applies, use Cisco’s advisory and product guidance to confirm the correct upgrade path.

Additional Best Practices

  • Review whether Cisco IMC interfaces are exposed to untrusted networks or the public internet.
  • Restrict access to management interfaces to only trusted administrators and trusted network paths where possible.
  • After patching, review administrator accounts and password changes to make sure no unauthorized changes occurred.
  • Prioritize systems that provide critical business services or centralized infrastructure management.

Indicators of Compromise (IoCs)

Cisco’s advisory does not provide specific indicators of compromise for this issue.

For organizations that may be exposed, useful signs to review include:

  • unexpected password changes for IMC accounts
  • unexpected administrator access to Cisco IMC
  • unusual access to server management interfaces
  • configuration changes that were not made by authorized staff

If you see signs like these, investigate the affected management interface and review related logs and account activity.


Notes

  • User interaction is not required based on Cisco’s description.
  • Active exploitation is not confirmed by Cisco at the time of publication.
  • There are no workarounds, so patching is the primary remediation path.
  • Business impact will be highest for organizations that use affected Cisco servers or appliances and expose IMC access.

Additional Resources

Cisco Security Advisories List

critical

Oracle Releases Emergency Fix for Critical Identity Manager RCE Vulnerability

Updated: March 27th, 2026

Category: Oracle

Source: Oracle

Overview

Oracle has released an emergency security update for a critical remote code execution (RCE) vulnerability affecting Oracle Identity Manager and Oracle Web Services Manager.

Tracked as CVE-2026-21992, the flaw can be exploited remotely over HTTP without authentication, meaning an attacker may be able to target an exposed system without logging in first. Because these products are tied to identity, access, and service security, the issue should be treated as a high-priority patching matter.


What to Know

  • What the issue is:
    CVE-2026-21992 is a critical vulnerability that may allow remote code execution.

  • What that means in plain language:
    A successful attack could let an attacker run malicious code on the affected server.

  • Affected products:

    • Oracle Identity Manager
    • Oracle Web Services Manager
  • Affected versions:

    • 12.2.1.4.0
    • 14.1.2.1.0
  • Attack requirements:
    Oracle says the flaw is:

    • exploitable over HTTP
    • unauthenticated
    • low complexity
    • requires no user interaction
  • Severity:
    Oracle lists the issue with a CVSS v3.1 score of 9.8.

  • Patch status:
    Oracle has released an out-of-band Security Alert and strongly recommends customers apply the updates as soon as possible.

  • Exploitation status:
    Oracle has not publicly confirmed active exploitation in the source provided.

  • Support status caveat:
    Oracle notes that Security Alert patches are provided for versions under Premier or Extended Support. Older unsupported versions may still be vulnerable.


Affected

  • Oracle Identity Manager 12.2.1.4.0
  • Oracle Identity Manager 14.1.2.1.0
  • Oracle Web Services Manager 12.2.1.4.0
  • Oracle Web Services Manager 14.1.2.1.0

This is most important for organizations with systems that are:

  • internet-facing
  • reachable over HTTP from other networks
  • used for identity, authentication, or service security functions

Vendor Guidance

  • Apply Oracle’s Security Alert update as soon as possible for affected products and versions.
  • Review the official Oracle alert for patch details and product-specific guidance.
  • Remain on actively supported versions and apply Security Alerts and Critical Patch Updates without delay.

Additional Best Practices

  • Prioritize externally reachable systems first, since Oracle says the flaw is remotely exploitable over HTTP.
  • Identify any unsupported older deployments of these products, since they may be vulnerable but not eligible for current fixes.
  • Treat exposed identity and access systems as high-priority assets for patching and post-update review.

Additional Resources

Oracle Critical Patch Updates

none

FBI Warns of Signal Phishing Campaigns Linked to Russian Intelligence

Updated: March 27th, 2026

Category: Signal/WhatsApp

Source: FBI

Overview

The FBI is warning that Russian intelligence-linked threat actors are actively targeting users of encrypted messaging apps such as Signal and WhatsApp in phishing campaigns designed to hijack accounts.

The warning does not say Signal or WhatsApp encryption has been broken. Instead, the attackers are reportedly tricking users into giving access to their accounts by sharing verification codes or linking an attacker-controlled device. Once that happens, attackers may be able to read messages, monitor conversations, and impersonate the victim.


What to Know

  • What this is:
    An account hijacking and phishing campaign targeting users of commercial messaging apps, especially Signal.

  • Who is behind it:
    The FBI links the activity to Russian intelligence services.

  • How the attack works:
    The attackers do not break end-to-end encryption. Instead, they trick users into:

    • sharing a verification code
    • scanning a malicious QR code
    • linking the account to an attacker-controlled device
  • Why it matters:
    If successful, the attacker may be able to:

    • read private messages
    • access contact lists
    • impersonate the victim
    • send more phishing messages from a trusted account
    • monitor group chats and ongoing conversations
  • Who is being targeted:
    The FBI says the main targets include:

    • current and former U.S. government officials
    • military personnel
    • political figures
    • journalists
  • Broader relevance:
    Even though the highest-value targets are specific groups, the phishing methods could be used more broadly against anyone using Signal or WhatsApp for sensitive communications.

  • Exploitation status:
    The FBI says the campaign has already led to unauthorized access to thousands of accounts worldwide.

  • Important clarification:
    This is a phishing and account takeover issue, not a newly disclosed vulnerability in Signal or WhatsApp.


Who's Affected?

  • Signal users
  • WhatsApp users
  • Other users of commercial messaging apps where account linking or verification workflows can be abused
  • Organizations and individuals using these apps for sensitive communications

Higher-risk groups called out by the FBI:

  • current and former U.S. government officials
  • military personnel
  • political figures
  • journalists

Vendor / Authority Guidance

  • Be suspicious of unexpected messages, even if they appear to come from support or a trusted contact.
  • Do not share verification codes with anyone.
  • Do not scan QR codes sent through unsolicited messages unless you are certain they are legitimate.
  • Be cautious about device-linking requests involving Signal, WhatsApp, or similar apps.
  • Review linked devices on your messaging accounts and remove any you do not recognize.

Additional Best Practices

  • Warn staff and high-risk users that attackers may pose as support accounts to gain access.
  • Treat any request to “reconnect,” “verify,” or “re-link” a messaging account as suspicious unless it was initiated directly by the user.
  • If account compromise is suspected, act quickly by removing unknown linked devices, changing credentials where applicable, and alerting contacts that the account may have been misused.

Additional Resources

FBI PSA

Bleeping Computer

medium

Microsoft Releases Emergency Update for Windows 11 Microsoft Account Sign-In Issue

Updated: March 27th, 2026

Category: Microsoft

Source: Microsoft

Overview

Microsoft has released an out-of-band update, KB5085516, to fix a Windows 11 issue that can break sign-ins with Microsoft accounts across several Microsoft apps and services.

Affected users may see an error saying they need an internet connection even when the device is online. Microsoft says this issue affects Microsoft account sign-ins and does not affect businesses using Entra ID for app authentication.


What to Know

  • What the issue is:
    A Windows 11 update-related problem that can block sign-ins using Microsoft accounts.

  • What users may see:
    An error similar to:
    “You'll need the Internet for this. It doesn't look like you're connected to the Internet.”

  • What is affected:
    Microsoft says the issue can affect sign-ins in apps and services including:

    • Microsoft Teams
    • OneDrive
    • Microsoft Edge
    • Microsoft 365 Copilot
    • Office apps such as Excel and Word for features that require a Microsoft account
  • What caused it:
    The issue appeared after installing KB5079473, part of Microsoft’s Patch Tuesday updates.

  • Who is not affected:
    Microsoft says businesses using Entra ID for app authentication are not affected.

  • Fix status:
    Microsoft says the problem is resolved by updates released March 21, 2026, and later, including KB5085516.

  • Affected platforms:
    Microsoft says the out-of-band update is available for Windows 11 versions 25H2 and 24H2 devices that receive standard Windows updates.


Affected

  • Windows 11 version 25H2
  • Windows 11 version 24H2
  • Devices impacted by the Microsoft account sign-in issue after installing KB5079473
  • Environments using Microsoft accounts for app sign-in

Not affected, according to Microsoft:

  • Organizations using Entra ID for app authentication

Vendor Guidance

  • Install the latest Windows updates, including KB5085516 or later updates, as Microsoft says they resolve this issue.
  • Use Windows Update or the Microsoft Update Catalog to deploy the out-of-band update where needed.
  • If immediate updating is not possible, Microsoft previously suggested restarting the PC as a temporary workaround while the fix was being rolled out.

 

critical

PTC Warns of Critical Windchill and FlexPLM RCE Risk

Updated: March 27th, 2026

Category: PTC

Source: PTC

Overview

PTC is warning customers about a critical remote code execution (RCE) vulnerability affecting Windchill and FlexPLM, two product lifecycle management platforms used in manufacturing, engineering, and product design environments.

The issue, tracked as CVE-2026-4681, could allow an attacker to run malicious code on an affected server. PTC says there is credible evidence of an imminent threat, but also says that, at this time, it has no evidence of confirmed exploitation affecting PTC customers. No full patch is available yet, so organizations are being told to apply vendor mitigation steps immediately.


What to Know

  • What the issue is:
    CVE-2026-4681 is a remote code execution flaw. In simple terms, a successful attack could let someone run unauthorized code on an affected Windchill or FlexPLM server.

  • Why it matters:
    These systems often store sensitive business information such as product data, design files, engineering workflows, and related intellectual property.

  • What products are affected:
    Windchill and FlexPLM, including multiple supported versions and all CPS versions listed by PTC.

  • Patch status:
    PTC says it is actively developing and releasing security patches for supported Windchill versions, but a complete patch solution was not yet available in the advisory provided.

  • Current risk level:
    PTC says there is credible evidence of an imminent threat related to this vulnerability.

  • Exploitation status:
    PTC also says there is no evidence of confirmed exploitation affecting PTC customers at this time.

  • Temporary mitigation is available:
    PTC has published Apache and IIS workaround steps to block the affected servlet path.

  • Important scope note:
    PTC says the workaround should be applied to all deployments, not just internet-facing systems, though publicly accessible systems should be prioritized first.

  • Cloud-hosted customers:
    PTC says the Apache workaround has already been applied to PTC-hosted Windchill and FlexPLM systems.


Affected Products

PTC says the advisory applies to:

Windchill PDMLink

  • 11.0 M030
  • 11.1 M020
  • 11.2.1.0
  • 12.0.2.0
  • 12.1.2.0
  • 13.0.2.0
  • 13.1.0.0
  • 13.1.1.0
  • 13.1.2.0
  • 13.1.3.0

FlexPLM

  • 11.0 M030
  • 11.1 M020
  • 11.2.1.0
  • 12.0.0.0
  • 12.0.2.0
  • 12.0.3.0
  • 12.1.2.0
  • 12.1.3.0
  • 13.0.2.0
  • 13.0.3.0

Additional note from PTC:

  • the advisory applies to all CPS versions
  • releases prior to 11.0 M030 are also impacted

Vendor Guidance

  • Apply PTC’s Apache or IIS workaround immediately to affected Windchill and FlexPLM systems.
  • Prioritize publicly accessible systems first, but apply the mitigation to all deployments, not just internet-facing ones.
  • Apply the same precautions to file server and replica server configurations where applicable.
  • For releases prior to 11.0 M030, use PTC’s out-of-support guidance and ensure those systems are not connected to the internet.
  • If you cannot apply the workaround quickly, PTC recommends:
    • shutting down the Windchill or FlexPLM service, or
    • disconnecting the system from the public internet
  • Review PTC’s IoCs and detection guidance to check for signs of compromise.
  • If IoCs are found, notify your security team immediately and begin your incident response process.
  • Monitor the PTC advisory for updates as patches are released.

Indicators of Compromise

PTC has provided detection guidance to help customers look for signs that the vulnerability may have been used. These indicators are mainly useful for IT and security teams checking affected servers and logs. See the complete advisory for details.


Additional Resources

PTC out-of-support workaround guidance

high

Citrix Urges Rapid Patching for NetScaler Flaws

Updated: March 27th, 2026

Category: Citrix

Source: Citrix

Overview

Citrix has released security updates for two vulnerabilities affecting NetScaler ADC and NetScaler Gateway. One of them, CVE-2026-3055, is especially concerning because it may allow an unauthenticated attacker to retrieve sensitive information, including session tokens, from affected systems.

This has drawn attention because the issue is being compared to past “CitrixBleed” flaws that were widely exploited. Citrix is urging administrators to patch affected systems as soon as possible, especially if those systems are exposed to the internet.


What to Know

  • What the issue is:
    Citrix patched two NetScaler vulnerabilities:

    • CVE-2026-3055 — an input validation flaw that can lead to a memory overread
    • CVE-2026-4368 — a race condition that can lead to user session mix-ups
  • What that means in plain language:
    A memory overread can allow a system to reveal data it should not expose. In this case, Citrix says that could include session tokens, which may help an attacker hijack an active user session.

  • What products are affected:
    NetScaler ADC and NetScaler Gateway

  • Important configuration detail:
    The more serious flaw, CVE-2026-3055, affects appliances configured as a SAML identity provider (IDP).
    CVE-2026-4368 affects appliances configured as Gateway services such as SSL VPN, ICA Proxy, CVPN, RDP Proxy, or AAA virtual servers.

  • Attack requirements:

    • CVE-2026-3055: remote attacker, no privileges required
    • CVE-2026-4368: attacker needs low privileges on the target system
  • Exploitation status:
    Public reporting provided here does not confirm active exploitation of these specific new CVEs.

  • Patch status:
    Citrix has released fixes and published remediation guidance.


Affected Products

Affected versions and fixed builds reported by Citrix and related coverage include:

  • NetScaler ADC 14.1 — fixed in 14.1-66.59
  • NetScaler ADC 13.1 — fixed in 13.1-62.23
  • NetScaler Gateway 14.1 — fixed in 14.1-66.59
  • NetScaler Gateway 13.1 — fixed in 13.1-62.23
  • NetScaler ADC 13.1-FIPS — fixed in 13.1-37.262
  • NetScaler ADC 13.1-NDcPP — fixed in 13.1-37.262

Especially relevant:

  • CVE-2026-3055: systems configured as SAML IDP
  • CVE-2026-4368: systems configured as Gateway or AAA virtual server

  • Patch affected NetScaler systems as soon as possible.
    Prioritize internet-facing systems first.

  • Determine whether vulnerable features are enabled.
    Check whether your NetScaler appliance is configured as a SAML identity provider, Gateway, or AAA virtual server.

  • Use Citrix remediation guidance.
    Citrix has published instructions for identifying impacted instances and moving them into the upgrade workflow.

  • Review upgrade considerations before patching.
    Citrix notes that systems with a copied /etc/httpd.conf file in /nsconfig may require extra planning before upgrade.

  • Review authentication and session activity after patching.
    Look for unusual login behavior, unexpected session activity, or signs of session misuse.

  • If compromise is suspected, expire active sessions and review credentials.
    Because session data may be exposed, organizations should consider forcing reauthentication where appropriate.

  • Monitor for follow-up guidance.
    Watch Citrix, CISA, and trusted security researchers for any updates on exploitation or additional mitigations.


Notes

  • This should be treated as a new alert
  • This is a product vulnerability issue, not a phishing campaign or operational outage
  • The highest practical risk appears to be on internet-facing NetScaler systems
  • The more serious flaw does not affect every NetScaler deployment equally; it depends on configuration
  • Public reporting in the materials provided does not confirm active exploitation at this time
  • Similarity to past CitrixBleed-style issues raises urgency, but does not prove this new flaw is already being exploited

Additional Resources

Citrix Security Bulletin

Bleeping Computer 

none

TikTok for Business Accounts Targeted in AiTM Phishing Campaign

Updated: March 27th, 2026

Category: TikTok

Source: Push Security

Overview

Push Security has reported a phishing campaign aimed at TikTok for Business users. The attack begins when a user is tricked into clicking a malicious link that leads to a fake page made to look like TikTok for Business or a Google-related page.

This is not a reported software vulnerability in TikTok. Instead, it is a login theft campaign. If a user follows the link and signs in on the fake page, the attacker may be able to steal the account login and the browser session used to stay logged in. In some cases, that can allow account takeover even when MFA is enabled.


What You Need to Know

  • What this is:
    A phishing campaign using fake TikTok for Business and Google-themed pages to steal account access.

  • How it starts:
    The attack requires a user to click a malicious link and attempt to sign in.

  • What is being targeted:
    TikTok for Business accounts, especially those used for advertising, promotions, or account administration.

  • Why it matters:
    A stolen business account could be used to run unauthorized ads, spread scams, misuse ad budgets, or damage a company’s online reputation.

  • Important technical detail in plain language:
    Researchers say the phishing pages may also steal the browser’s active login session. That matters because it can sometimes let an attacker stay logged in without needing the MFA code again.

  • Google sign-in risk:
    Push notes that many business users sign in to TikTok using Google. If that login flow is captured, the attacker may gain access to more than just TikTok.

  • Exploitation status:
    Researchers reported a live phishing campaign, but public reporting does not yet show how widespread successful compromise is.

  • What is still unknown:
    The initial delivery method has not yet been confirmed.


Who Could be Affected?

  • TikTok for Business users
  • Marketing, social media, and advertising teams with business account access
  • Organizations that use Google SSO to access TikTok for Business
  • Businesses with privileged ad, billing, or admin access tied to TikTok accounts

Recommended Actions

  1. Warn staff that this attack starts with a phishing link.
    Make sure employees know this is not a passive TikTok breach — the attacker needs someone to click and try to sign in.

  2. Be cautious with unexpected messages related to TikTok or Google.
    Treat unsolicited “schedule a call,” recruiting, partnership, or account-related messages as suspicious.

  3. Do not sign in from links in unexpected emails or messages.
    Go directly to the official TikTok for Business or Google login page instead.

  4. Check the web address carefully before entering credentials.
    Look for misspellings, unusual domains, or pages that do not belong to TikTok or Google.

  5. If a suspicious login page was used, act quickly.
    Reset the password, sign out of active sessions, and review the account for unauthorized changes.

  6. Review linked Google accounts if Google sign-in is used.
    Check for suspicious logins, newly authorized devices, or unusual activity.

  7. Check business account settings and billing activity.
    Look for unauthorized ads, account changes, new administrators, or unexpected spending.


Indicators of Compromise

The following domains were reported by Push Security as part of the phishing campaign. For most readers, these are mainly useful as warning signs: if you see one of these in an email, browser history, web filter, or employee report, treat it as suspicious.

Reported domains:

  • welcome.careerscrews[.]com
  • welcome.careerstaffer[.]com
  • welcome.careersworkflow[.]com
  • welcome.careerstransform[.]com
  • welcome.careersupskill[.]com
  • welcome.careerssuccess[.]com
  • welcome.careersstaffgrid[.]com
  • welcome.careersprogress[.]com
  • welcome.careersgrower[.]com
  • welcome.careersengage[.]com

Related infrastructure reported by Push:

  • storage.googleapis[.]com/fiz2a4s014vt8q4l5i0m1m7b0gl/

Note: The [.] format is intentional. Security write-ups often break domain names this way so they are not accidentally clicked.


Additional Notes

  • This is a phishing/account takeover issue, not a TikTok product vulnerability
  • User interaction is required for the attack to succeed
  • The phishing pages and domains may change quickly, so domain blocking alone is not enough
  • User awareness and prompt response to suspicious sign-in activity are especially important here

Additional Resources

Bleeping Computer

Push Security

critical

ConnectWise ScreenConnect: Critical Authentication Trust Hardening Update for Machine Key Abuse Risk (CVE-2026-3564)

Updated: March 19th, 2026

Category: ConnectWise

Source: ConnectWise

Overview

ConnectWise has published a security advisory for ScreenConnect describing a critical issue involving instance cryptographic material used for session authentication. If this material becomes accessible, a threat actor may be able to forge or modify protected values that the application accepts as trusted, potentially resulting in unauthorized accesselevated access, and access to active sessions.

ConnectWise states that ScreenConnect versions prior to 26.1 are impacted and recommends upgrading to 26.1 as soon as possible.


What You Need to Know

  • CVE: CVE-2026-3564
  • Affected product: ConnectWise ScreenConnect
  • Affected versions: prior to 26.1
  • Fixed version: 26.1
  • Impact (plain language):
    • Unauthorized access
    • Unauthorized actions within ScreenConnect
    • Elevated access / privilege escalation
    • Possible access to active sessions
  • Root issue: Exposure or abuse of instance-specific cryptographic material used by ASP.NET / ScreenConnect to sign and validate protected application data
  • Vendor context: ConnectWise says security researchers have observed attempts to abuse disclosed ASP.NET machine key material

Affected Products

  • ConnectWise ScreenConnect versions before 26.1
  • Most important for:
    • On-premises / self-hosted ScreenConnect
    • MSP and IT environments where ScreenConnect is used for privileged remote administration

  1. Update ScreenConnect to version 26.1 as soon as possible.
  2. Keep ScreenConnect on a supported, up-to-date version by applying future updates promptly.
  3. Review instance-level and server-level access controls to restrict access to sensitive application configuration and secrets.
  4. Monitor ScreenConnect logs for unusual authentication activity and unexpected administrative actions.
  5. Ensure backups, exported configuration archives, and historical snapshots are not accessible to untrusted users or systems.
  6. Keep all ScreenConnect extensions up to date and ensure only trusted, supported extensions are installed.

Cloud vs. On-Prem Notes

  • Cloud-hosted ScreenConnect: ConnectWise indicates cloud environments have been updated as part of standard operations.
  • On-premises ScreenConnect: Customers need to upgrade to 26.1 themselves.

Additional Resources

ConnectWise Trust Center advisory page

high

Microsoft SharePoint: Critical Unauthenticated RCE Now Exploited in the Wild (CVE-2026-20963)

Updated: March 19th, 2026

Category: Microsoft

Source: Microsoft

Overview

CISA has warned that CVE-2026-20963, a critical Microsoft SharePoint Server vulnerability patched in January 2026, is now being actively exploited. The flaw allows an unauthenticated attacker to execute code remotely against a vulnerable SharePoint server.

Because this affects on-premises SharePoint Server and requires no privileges, organizations running exposed or internally reachable SharePoint servers should treat this as a high-priority patching issue.


What You Need to Know

  • CVE: CVE-2026-20963
  • Severity: Critical
  • Type (plain language): Deserialization of untrusted data
  • Impact: Remote code execution (RCE)
    In practical terms, an attacker can send crafted network requests that cause the SharePoint server to run attacker-controlled code.
  • Attack requirements:
    • Unauthenticated
    • Network-based
    • Low attack complexity
  • Exploitation status: Active exploitation reported
    • Microsoft patched it in January 2026
    • CISA has since warned it is now being exploited in attacks

Microsoft’s description indicates that:

“In a network-based attack, an unauthenticated attacker could write arbitrary code to inject and execute code remotely on the SharePoint Server.”


Affected Products

Supported products listed as affected include:

  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Server 2019
  • Microsoft SharePoint Server Subscription Edition

Also reported as vulnerable but end-of-support:

  • SharePoint Server 2007
  • SharePoint Server 2010
  • SharePoint Server 2013

These older versions no longer receive security updates and should be upgraded to a supported release.


  1. Apply Microsoft’s security update for CVE-2026-20963 immediately on supported SharePoint Server versions.
  2. If you are running end-of-support SharePoint versions, plan to upgrade to a supported version as soon as possible, since security fixes are no longer provided.
  3. Follow Microsoft’s CVE page for product-specific update guidance and ensure all SharePoint farms/servers are covered.
  4. If mitigations are not available for a given unsupported deployment, CISA advises organizations to discontinue use of the product.

Additional Notes

  • This is especially significant because SharePoint servers often contain sensitive internal documents and business data and may sit in trusted internal zones.
  • An unauthenticated SharePoint RCE can provide attackers with a foothold for data theft, persistence, and lateral movement.
  • Even if a SharePoint server is not internet-facing, internal exposure still matters if an attacker already has network access.

Additional Resources

Microsoft MSRC CVE page

CVE Page

none

CISA Urges Organizations to Harden Microsoft Intune After Destructive Stryker Attack

Updated: March 19th, 2026

Category: Microsoft

Source: CISA

Overview

CISA is urging U.S. organizations to harden Microsoft Intune and other endpoint management systems after attackers reportedly abused Intune in the cyberattack against Stryker. According to reporting cited by CISA, the attackers allegedly used a compromised administrative path to create a new Global Administrator account and then used Intune’s legitimate wipe capability to erase a large number of devices.

This is not a new software vulnerability in Intune. It is a security hardening and privileged access issue: if attackers gain sufficient admin access to endpoint management, they can use built-in features for large-scale destructive impact.


What You Need to Know

  • What happened: CISA says it is aware of malicious cyber activity targeting endpoint management systems following the March 11, 2026 attack against Stryker.
  • Why it matters: Endpoint management platforms like Microsoft Intune can push high-impact actions across many devices, including:
    • device wipe/reset
    • application deployment/updates
    • configuration changes
    • role/permission changes
  • Attack pattern described in reporting: Attackers allegedly:
    • compromised an administrator account
    • created a new Global Administrator
    • used Intune’s built-in wipe command to disrupt endpoints
  • CISA’s message: Organizations should harden Intune and similar endpoint management systems now to reduce the risk of similar abuse.

Affected Products

  • Microsoft Intune
  • More broadly, other enterprise endpoint management systems with high-privilege administrative capabilities

This alert is relevant even if you are fully patched, because the issue is about hardening admin controls and sensitive actions, not just software updates.


Follow CISA’s and Microsoft’s hardening guidance for Intune and endpoint management administration:

  1. Use least privilege for admin roles

    • Assign only the minimum permissions needed using Intune RBAC.
    • Avoid broad standing administrative access where narrower roles will work.
  2. Strengthen administrator authentication and trust controls

    • Enforce MFA
    • Use Microsoft Entra ID protections such as:
      • Conditional Access
      • risk-based signals/policies
      • privileged access hygiene
  3. Require additional approval for high-impact actions

    • Implement multi-admin approval for sensitive changes such as:
      • device wipes
      • application updates
      • RBAC/role changes
  4. Review and secure privileged accounts

    • Closely review Global Administrator and other high-privilege roles.
    • Investigate unexpected creation of new privileged accounts.

Indicators of Compromise

CISA’s alert is primarily defensive guidance and does not provide a formal IOC list. Practical investigation leads include:

  • unexpected creation of new Global Administrator or other privileged accounts
  • unusual or bulk wipe actions initiated through Intune
  • unexpected RBAC changes
  • suspicious admin logins or policy/application changes originating from privileged accounts

Additional Notes

  • This is a strong reminder that endpoint management platforms are high-value targets. If attackers compromise them, they can often act at enterprise scale without needing malware on every endpoint.
  • Because Intune actions may be legitimate features used maliciously, detection should focus on admin activityapproval workflows, and change monitoring, not just malware signatures.

Additional Resources

Microsoft Intune Best Security Practices

critical

Ubiquiti UniFi Network Application: Max-Severity Path Traversal May Enable Account Takeover (CVE-2026-22557)

Updated: March 19th, 2026

Category: Ubiquiti

Source: Ubiquiti

Overview

Ubiquiti has released fixes for two vulnerabilities in the UniFi Network Application (also called the UniFi Controller), including a maximum-severity flaw that could let an attacker access files on the underlying system and potentially take over accounts. Because UniFi is widely used to manage wireless, switching, and gateway infrastructure, organizations using vulnerable controller versions should update promptly.


What You Need to Know

  • Primary CVE: CVE-2026-22557
  • Severity: Critical / max severity
  • Type (plain language): Path traversal
    This means an attacker may be able to access files they should not be able to read by manipulating file paths.
  • Attack requirements (per Ubiquiti):
    • Attacker needs access to the network
    • No privileges required
    • Low attack complexity
    • No user interaction required
  • Potential impact: Access to files on the underlying system that could be manipulated to help access an underlying account, potentially leading to account takeover
  • Affected version range: UniFi Network Application 10.1.85 and earlier
  • Fixed version: 10.1.89 and later

Ubiquiti also fixed a second issue:

  • Secondary issue: Authenticated NoSQL injection
  • Impact: A user with authenticated access could potentially escalate privileges
  • Plain language: Someone who already has an account may be able to abuse database query handling to gain higher permissions than intended

Affected Products

  • UniFi Network Application / UniFi Controller
    • Affected: 10.1.85 and earlier
    • Fixed: 10.1.89 and later

If you manage UniFi through a Cloud Gateway or another Ubiquiti appliance, confirm the bundled UniFi Network Application version is also updated to a fixed release.


  1. Upgrade the UniFi Network Application to version 10.1.89 or later immediately.
  2. Review whether your UniFi management interface is reachable from:
    • untrusted internal segments
    • guest networks
    • broad VPN populations
    • other networks that should not have admin-plane access
  3. Limit access to the UniFi controller to only trusted administrative networks and users.

Additional Notes

  • UniFi deployments are common in SMB, education, hospitality, retail, and distributed office environments, so patching this controller software may have broad operational relevance.

Additional Resources

CVE record

Ubiquiti Advisory

none

KadNap Botnet Hijacking ASUS Routers and Other Edge Devices to Build a Criminal Proxy Network

Updated: March 13th, 2026

Category: ASUS

Source: Black Lotus Labs

Overview

Lumen’s Black Lotus Labs reports a botnet malware family named KadNap that compromises ASUS routers (and other edge networking devices) to convert them into nodes in a proxy network used to relay malicious traffic. Lumen reports observing activity since August 2025 and estimates the botnet has grown to over 14,000 infected devices.


What You Need to Know

  • KadNap is a botnet (a group of compromised devices controlled remotely by an attacker) focused on edge devices (routers and similar equipment that sit at the “edge” of a network and connect it to the internet).
  • Infected routers can be used as a proxy network (a way to route internet traffic through someone else’s device to hide the true source), which can enable or disguise follow-on cybercrime activity.
  • This type of compromise may be difficult to notice because the router can continue to function normally while still being abused in the background.
  • Lumen provides Indicators of Compromise (IoCs) (clues such as suspicious IP addresses/domains/files that help confirm or rule out infection) to help organizations detect and disrupt KadNap activity.

Indicators of Compromise


  1. Update router firmware to the latest available for each model and disable remote administration from the public internet unless it is absolutely required.
  2. Restrict management access to trusted internal networks and approved admin devices; enforce strong, unique admin passwords.
  3. Use the published IoCs to check firewall/DNS/proxy logs and any available router telemetry for signs of compromise.
  4. If compromise is suspected, isolate the router, perform a factory reset, and reconfigure from known-good settings (avoid restoring unknown or old configuration backups).

Additional Resources

Readers can monitor these ASUS pages for vendor updates and security guidance:

ASUS Security Advisory hub

ASUS Product Security Advisory

ASUS news/official statements

critical

HPE Patches Aruba Networking AOS-CX Authentication Bypass That May Allow Admin Password Resets (CVE-2026-23813)

Updated: March 13th, 2026

Category: Hewlett Packard Enterprise (HPE)

Source: HPE

Overview

HPE Aruba Networking published a security advisory for Aruba Networking AOS-CX identifying multiple vulnerabilities, including a critical authentication bypass in the web-based management interface. HPE indicates the issue could allow an unauthenticated remote actor to circumvent authentication controls and, in some cases, reset the admin password.


What You Need to Know

  • CVE: CVE-2026-23813
  • Affected component: AOS-CX web-based management interface
  • Risk: An unauthenticated remote actor may be able to bypass authentication; in some cases this could enable resetting the admin password
  • Exploitability notes: The advisory states HPE Aruba Networking is not aware of public discussion or exploit code targeting these vulnerabilities as of the advisory release

Affected Products

  • HPE Aruba Networking AOS-CX (HPE Aruba CX-series switch platforms)
    Consult the advisory for the specific affected versions/models and the corresponding fixed releases.

  1. Apply the vendor-provided software updates for AOS-CX as specified in HPE’s advisory for CVE-2026-23813.
  2. If patching cannot be completed immediately, implement HPE’s mitigations to reduce exposure of management interfaces:
    • Restrict management access to a dedicated Layer 2 segment/VLAN
    • Enforce strict Layer 3+ access policies allowing only trusted hosts
    • Disable HTTP(S) on SVIs and routed ports where not required
    • Apply control plane ACLs to REST/HTTP-enabled management interfaces (HTTPS/REST endpoints)
    • Enable accounting/logging/monitoring for management interface activity
  3. After patching, review administrative access paths and consider validating that management plane access is limited to approved jump hosts and networks.

Additional Resources

high

Microsoft Releases Windows 10 March 2026 Security Update for ESU

Updated: March 13th, 2026

Category: Microsoft

Source: Microsoft

Overview

Microsoft has published the Windows 10 cumulative security update KB5078885 for supported Windows 10 servicing channels, including Windows 10 ESU and Windows 10 Enterprise LTSC 2021. The update contains security fixes and quality improvements and is intended to be deployed as part of routine monthly patching for Windows 10 systems still under support.


What You Need to Know

  • KB5078885 applies to Windows 10, version 22H2 and Windows 10 Enterprise LTSC 2021.
  • After installation, systems update to:
    • Windows 10 22H2: OS Build 19045.7058
    • Windows 10 Enterprise LTSC 2021: OS Build 19044.7058
  • Improvements and fixes called out by Microsoft include:
    • Secure Boot: Expanded “high confidence device targeting data” used to determine eligibility for automatic delivery of updated Secure Boot certificates.
    • OS security reliability fix: Addresses an issue where some Secure Launch-capable PCs with Virtual Secure Mode (VSM) enabled could be unable to shut down or enter hibernation and would restart instead.
    • Additional quality improvements in areas including Windows System Image ManagerFile Historygraphics stabilityfonts, and File Explorer folder renaming behavior.

  1. Deploy KB5078885 to all in-scope Windows 10 ESU and Windows 10 Enterprise LTSC 2021 devices using your standard patching process.
  2. Prioritize systems with Secure Launch and VSM enabled if shutdown/hibernation reliability has been an operational issue.
  3. Validate post-deployment by checking OS build levels (19045.7058 / 19044.7058) and confirming normal shutdown/hibernate behavior for affected device classes.

Additional Resources

MSRC Security Update Guide

high

Microsoft March 2026 Patch Tuesday Security Updates (CVE-2026-26127, CVE-2026-21262)

Updated: March 13th, 2026

Category: Microsoft

Source: Microsoft

Overview

Microsoft has released its March 2026 Patch Tuesday security updates. The March release includes fixes for multiple products and components, including .NET (denial of service) and SQL Server (elevation of privilege). Organizations should apply applicable updates through standard Microsoft patching channels and prioritize systems where availability and privilege boundaries are most critical.


What You Need to Know

  • March 2026 release context: Microsoft’s March 2026 security updates are tracked in the MSRC release note (link above).
  • CVE-2026-26127 (.NET): A .NET denial of service vulnerability addressed in Microsoft security updates.
  • CVE-2026-21262 (SQL Server): A SQL Server elevation of privilege vulnerability addressed in Microsoft security updates.
  • Windows servicing example: The Windows 11 cumulative update KB5079473 is a March security update vehicle for Windows 11 (support article link above) and references the MSRC Security Update Guide for vulnerability details.

  1. Deploy March 2026 security updates applicable to your environment (Windows, .NET runtimes/SDKs, SQL Server versions) using your standard process (e.g., Windows Update for Business/Intune/WSUS/MECM).
  2. Prioritize patching for:
    • Systems running SQL Server where privileged access is tightly controlled or shared, and
    • Systems running .NET services where downtime/availability risk is high.
  3. Verify remediation by confirming installed update levels on representative endpoints/servers and validating that .NET/SQL Server patch baselines match the MSRC guidance for the CVEs above.

Additional Resources

MSRC Security Update Guide

high

Unauthenticated SQL Injection in Elementor “Ally” WordPress plugin (CVE-2026-2413)

Updated: March 13th, 2026

Category: WordPress

Source: Wordfence

Overview

Wordfence reports an unauthenticated SQL injection vulnerability in Ally – Web Accessibility & Usability, a WordPress plugin estimated to have 400,000+ active installations. The flaw can be leveraged to extract sensitive data from a site’s database and is patched in Ally 4.1.0.


What You Need to Know

  • CVE: CVE-2026-2413
  • CVSS: 7.5 (High)
  • Affected versions: Ally 4.0.3 and earlier
  • Patched version: 4.1.0
  • Attack type: Unauthenticated SQL injection via the URL path
  • Impact: Attackers may be able to extract sensitive database data, including password hashes, using time-based blind SQL injection techniques
  • Required condition: The Remediation module must be active (requires the plugin to be connected to an Elementor account)

Affected Products

  • Ally – Web Accessibility & Usability (pojo-accessibility)
    • Affected: ≤ 4.0.3
    • Fixed: 4.1.0

  1. Update Ally to version 4.1.0 immediately.
  2. If you cannot update right away, disable the Remediation module and/or disconnect the plugin from the Elementor account to reduce exposure until patched.
  3. If the site is high-value or exposure is suspected, review logs for anomalous requests and consider rotating secrets stored in the database.

Additional Resources

CVE Record

Wordfence Report

critical

Security Alert: Apple backports “Coruna” exploited-vulnerability fixes to older iOS/iPadOS devices

Updated: March 13th, 2026

Category: Apple

Source: Apple

What happened

Apple released security updates for older iPhone and iPad models to address vulnerabilities associated with the Coruna exploit kit, which has been used in targeted surveillance/espionage and financially motivated (crypto-theft) campaigns. These are backported fixes for devices that cannot run the latest OS.


Who is affected

Devices running iOS 15.8.7 / iOS 16.7.15 and iPadOS 15.8.7 / iPadOS 16.7.15, including (as listed in the article):

  • iPhone: 6s, 7, SE (1st gen), 8, 8 Plus, X
  • iPad / iPod: iPad Air 2, iPad mini (4th gen), iPod touch (7th gen), iPad (5th gen), iPad Pro 9.7-inch, iPad Pro 12.9-inch (1st gen)

Key vulnerabilities mentioned

  • CVE-2023-41974 — Kernel use-after-free
  • CVE-2024-23222 — WebKit type confusion
  • CVE-2023-43000 — WebKit use-after-free
  • CVE-2023-43010 — WebKit memory-handling issue 

Threat context (why urgency is justified)

  • Coruna has been used by multiple actors since Feb 2025 
  • CISA reportedly added multiple Coruna-targeted vulnerabilities to Known Exploited Vulnerabilities (KEV) and directed U.S. federal agencies to patch by March 26.

  1. Patch immediately: ensure impacted devices are updated to iOS 15.8.7 / 16.7.15 or iPadOS 15.8.7 / 16.7.15 (as applicable to the model).
  2. Prioritize high-risk users: executives, admins, finance/crypto holders, journalists, and anyone likely to be targeted.
  3. If you can’t patch promptly: consider removing the device from access to sensitive corporate resources (mail, VPN, SSO apps) until updated.
  4. Hygiene checks (orgs): confirm MDM compliance rules enforce minimum OS versions for these older models.

Additional Resources

See Apple Advisories here and here.

critical

Veeam Backup & Replication: Multiple Critical Vulnerabilities (RCE) Patched — Upgrade Required

Updated: March 13th, 2026

Category: Veeam

Source: Veeam

Overview

Veeam has published a security bulletin (KB4830) for Veeam Backup & Replication (VBR) addressing multiple vulnerabilities, including critical remote code execution (RCE) issues. Backup servers are routinely prioritized by threat actors because compromising them can enable lateral movement and backup disruption/deletion, undermining recovery during ransomware incidents. Veeam strongly recommends upgrading promptly.


What You Need to Know

All vulnerabilities in Veeam’s bulletin affect Veeam Backup & Replication 12.3.2.4165 and all earlier v12 builds, and are fixed in 12.3.2.4465.

Critical — RCE

  • CVE-2026-21666 — Authenticated domain user can achieve RCE on the Backup Server
    • Severity: Critical | CVSS v3.1: 9.9 | PR: Low | UI: None
  • CVE-2026-21667 — Authenticated domain user can achieve RCE on the Backup Server
    • Severity: Critical | CVSS v3.1: 9.9
  • CVE-2026-21708 — Backup Viewer can achieve RCE as the postgres user
    • Severity: Critical | CVSS v3.1: 9.9

High severity

  • CVE-2026-21668 — Authenticated domain user can bypass restrictions and manipulate arbitrary files on a Backup Repository
    • Severity: High | CVSS v3.1: 8.8
  • CVE-2026-21672 — Local privilege escalation on Windows-based VBR servers
    • Severity: High | CVSS v3.1: 8.8

Affected Products

  • Veeam Backup & Replication12.3.2.4165 and all earlier version 12 builds (per Veeam KB4830)

  1. Upgrade Veeam Backup & Replication to 12.3.2.4465 (or later) immediately.
    • Veeam states these vulnerabilities are resolved in VBR 12.3.2.4465.
  2. Treat patching as urgent: Veeam notes that once patches are public, attackers often reverse-engineer them to target unpatched systems.

Indicators of Compromise

  • Veeam’s KB entry does not provide IOCs or exploitation details. If you suspect compromise, prioritize investigating:
    • Unusual processes spawned by VBR components
    • Unexpected repository file modifications
    • Postgres-related suspicious activity on the VBR server

 

high

Google Chrome: Two Actively Exploited Zero-Days Patched (CVE-2026-3909, CVE-2026-3910)

Updated: March 13th, 2026

Category: Chrome

Source: Google

Overview

Google released emergency security updates for the Chrome Stable Desktop channel to address two high-severity vulnerabilities that are confirmed to be exploited in the wildCVE-2026-3909 and CVE-2026-3910. Because these are browser zero-days, organizations should prioritize rapid patching across endpoints.


What You Need to Know

  • Exploited in the wild: Google states it is aware exploits exist for both CVEs.
  • CVE-2026-3909: Out-of-bounds write in Skia (graphics/rendering library). Impact can include browser crashes and potentially code execution depending on exploitation.
  • CVE-2026-3910: “Inappropriate implementation” in V8 (JavaScript/WebAssembly engine). V8 issues commonly enable memory safety exploitation paths when chained.
  • Fixed Chrome Stable Desktop versions:
    • Windows: 146.0.7680.75
    • macOS: 146.0.7680.76
    • Linux: 146.0.7680.75
  • Rollout note: Google indicates the update may take days/weeks to reach all users automatically, so organizations should not rely solely on gradual rollout.

Affected Products

  • Google Chrome (Stable channel) on Desktop prior to the fixed versions above (Windows/macOS/Linux).

  1. Update Chrome immediately on all managed endpoints to at least:
    • Windows/Linux: 146.0.7680.75
    • macOS: 146.0.7680.76
  2. Restart Chrome after updating (users often update but don’t restart, leaving the old binary running).
  3. Where possible, use enterprise controls (MDM/GPO/software management) to accelerate rollout rather than waiting for staggered auto-update propagation.

Additional Notes

These are the second and third actively exploited Chrome zero-days patched in 2026 (per reporting), reinforcing the need for tight browser patch SLAs.

none

“ClawJacked” Lets Malicious Websites Hijack Local OpenClaw via Localhost WebSocket Brute Force

Updated: March 6th, 2026

Category: OpenClaw

Source: Oasis Security

Overview

Oasis Security disclosed a high-severity OpenClaw vulnerability dubbed “ClawJacked” where a malicious website can silently connect from a victim’s browser to the local OpenClaw gateway over WebSocket, brute-force the management password at high speed, and then register as a trusted device. With admin access, an attacker can control the OpenClaw agent environment and potentially exfiltrate data or run commands on paired nodes.

OpenClaw released a fix in version 2026.2.26 (Feb 26, 2026).


What You Need to Know

  • Core issue (Oasis):
    • OpenClaw’s gateway exposes a WebSocket interface on localhost.
    • Browser cross-origin protections do not prevent a website from initiating WebSocket connections to localhost.
    • OpenClaw’s rate limiting exempted 127.0.0.1 by default, enabling high-rate guessing without throttling.
  • Attack flow (as described):
    1. User visits a malicious site.
    2. Site JavaScript connects to the local OpenClaw gateway via WebSocket.
    3. Brute-force the management password at hundreds of attempts per second.
    4. On success, attacker silently registers as a trusted device because localhost pairing is auto-approved.
    5. Attacker controls the OpenClaw instance with admin permissions.
  • Impact (Oasis):
    • Access to credentials/secrets and logs
    • Enumeration of connected nodes
    • Potentially instruct agents to search messages/history, exfiltrate files, and execute shell commands on paired nodes (risking workstation/node compromise)

Affected Products

  • OpenClaw versions prior to 2026.2.26 (per Oasis / reporting)
  • Systems where the OpenClaw gateway is reachable on localhost via WebSocket and protected by a human-chosen password

  1. Update OpenClaw to 2026.2.26 or later immediately.
    Oasis reports the fix tightens WebSocket security checks and adds protections against abuse of localhost loopback connections (including brute force/session hijacking).
  2. For defense-in-depth (especially in enterprise endpoint environments):
    • Avoid running OpenClaw gateway services on user workstations unless necessary.
    • Treat local-agent management interfaces as sensitive: restrict access and ensure strong credentials, even if “only localhost” (because browsers can reach localhost).

 

high

VMware Aria Operations Unauthenticated Command Injection (CVE-2026-22719)

Updated: March 6th, 2026

Category: VMware

Source: Broadcom

Overview

Broadcom (VMware) patched CVE-2026-22719 in VMware Aria Operations on February 24, 2026 under VMSA-2026-0001. CISA has since added CVE-2026-22719 to its Known Exploited Vulnerabilities (KEV) catalog, flagging it as exploited in attacks and setting a remediation deadline for U.S. federal agencies.

Broadcom states it is aware of reports indicating exploitation in the wild but cannot independently confirm them.


What You Need to Know

  • CVE: CVE-2026-22719
  • Product: VMware Aria Operations
  • Severity (as originally published in VMSA-2026-0001): CVSS 8.1 (“Important”)
  • Vulnerability type: Command injection
  • Authentication: Unauthenticated
  • Exploitation condition (per Broadcom advisory language): Exploitation may lead to RCE while support-assisted product migration is in progress
  • Status: Added to CISA KEV (exploited)

Affected Products

  • VMware Aria Operations versions identified in Broadcom’s VMSA-2026-0001 advisory 
    Because exploitability is tied to support-assisted migration, prioritize instances where that process is running or enabled.

  1. Apply Broadcom’s VMware Aria Operations security patches released Feb 24, 2026 for VMSA-2026-0001 / CVE-2026-22719 as soon as possible.
  2. If patching is not immediately possible, apply Broadcom’s temporary workaround:
    • Run the provided script aria-ops-rce-workaround.sh as root on each Aria Operations appliance node.
    • The workaround disables migration components that could be abused, including removing:
      • /usr/lib/vmware-casa/migration/vmware-casa-migration-service.sh
      • the sudoers entry allowing passwordless root execution for:
        • NOPASSWD: /usr/lib/vmware-casa/bin/vmware-casa-workflow.sh
  3. Treat this as urgent if Aria Operations is exposed to untrusted networks or if migration workflows are active/planned.

Additional Resources

Broadcom Security Advisory (VMSA-2026-0001 entry)

Broadcom Knowledge Base (workaround guidance / details)

CISA Known Exploited Vulnerabilities Catalog

critical

Cisco Secure FMC: Critical Unauthenticated Auth Bypass and RCE Permit Root-Level Compromise (CVE-2026-20079, CVE-2026-20131)

Updated: March 6th, 2026

Category: Cisco

Source: Cisco

Overview

Cisco released security advisories for two critical vulnerabilities in Cisco Secure Firewall Management Center (FMC) Software. Both can be exploited by unauthenticated remote attackers via the FMC web-based management interface and can result in root access on affected systems.

CVE-2026-20131 also affects Cisco Security Cloud Control (SCC) Firewall Management, but Cisco notes SCC is SaaS-delivered and upgraded by Cisco (no customer patching action required for SCC).


What You Need to Know

  • CVE-2026-20079 — Authentication Bypass (CVSS 10.0)

    • Affected: Cisco Secure FMC Software (on-prem)
    • Vector: Crafted HTTP requests to the FMC web interface
    • Impact: Bypass authentication and execute script files/commands to gain root access
    • Workarounds: None
  • CVE-2026-20131 — Remote Code Execution via Insecure Deserialization (CVSS 10.0)

    • Affected: Cisco Secure FMC Software and Cisco SCC Firewall Management
    • Vector: Crafted serialized Java object sent to the web-based management interface
    • Impact: Execute arbitrary Java code and elevate privileges to root
    • Cisco note: If the FMC management interface does not have public internet access, the associated attack surface is reduced
    • Workarounds: None
  • Exploitation status (Cisco PSIRT): Cisco PSIRT is not aware of any public announcements or malicious use for either vulnerability at the time of publication.


Affected Products

  • Cisco Secure Firewall Management Center (FMC) Software (both CVEs)
  • Cisco Security Cloud Control (SCC) Firewall Management (CVE-2026-20131 only)
    • Cisco states SCC is SaaS-delivered and upgraded by Cisco as part of maintenance; no user action required for SCC.

  1. Upgrade FMC to a fixed software release that addresses:
    • CVE-2026-20079
    • CVE-2026-20131
      Cisco provides the Cisco Software Checker to identify the earliest fixed release (“First Fixed”) for your exact FMC version/platform.
  2. Reduce exposure of the FMC web management interface (defense-in-depth), especially ensuring it is not reachable from the public internet.

Additional Resources

Cisco advisory (CVE-2026-20079)

Cisco advisory (CVE-2026-20131)

Cisco Software Checker

none

Security Alert: Active LastPass Phishing Campaign Uses Fake Email Chains to Steal Credentials (verify-lastpass[.]com)

Updated: March 6th, 2026

Category: LastPass

Source: LastPass

Overview

LastPass’ Threat Intelligence, Mitigation, and Escalation (TIME) team warns of an active phishing campaign that uses fake forwarded email chains alleging unauthorized actions on a user’s LastPass account (e.g., export vault, account recovery, new trusted device). The emails use display-name spoofing to appear as “LastPass” or “LastPass Support,” and direct recipients to a fake SSO login page intended to harvest credentials.

LastPass states there is no impact to LastPass systems.


What You Need to Know

  • Campaign start: On or around March 1, 2026 (per LastPass).
  • Tactics:
    • “Forwarded internal message” style threads to create urgency.
    • Display name spoofing so many email clients show “LastPass” while the underlying sender address is unrelated.
    • Links such as “report suspicious activity,” “disconnect and lock vault,” and “revoke device.”
  • Primary phishing domain: verify-lastpass[.]com
    • Attackers generate many URL variants (often by adding trailing numbers) that redirect to the same phishing site.
  • Goal: Capture user credentials via a fake LastPass SSO login page.

Affected Users / Systems

  • Any LastPass user receiving these messages (personal or enterprise).
  • Mail/security teams may see increased inbound LastPass-themed phishing and click-through attempts to the domains/redirectors listed below.

  1. Do not click links in unsolicited LastPass-branded security alerts or “forwarded thread” messages.
  2. Never provide your master password—LastPass reiterates it will never ask for it.
  3. If you are unsure whether an email is legitimate, submit it to[email protected]
  4. Remind users: on mobile, expand the sender details—display name alone is not proof the email is from LastPass.

Indicators of Compromise / Detection Leads (from LastPass)

Malicious destination domain

  • verify-lastpass[.]com

Known redirector URLs and IPs (at time of publication)

  • Several redirector links were observed pointing to verify-lastpass[.]com/login?<number> and were served from the following IPs:
    • 172.67.200[.]82
    • 104.21.21[.]204
    • 52.102.103[.]4
    • 52.102.103[.]12
    • 52.102.103[.]50

Known sender addresses (observed)

Known subject lines (observed)

  • Re: the details
  • Re: pending approval
  • Re: Access request pending
  • Re: FYI
  • RE: sign-in — TRZ-2302300
  • Fwd: Re: your request
  • Re: credential download

Additional Resources

critical

Cisco Catalyst SD-WAN: Critical Auth Bypass (CVE-2026-20127) Exploited as a Zero-Day Since at Least 2023

Updated: March 6th, 2026

Category: Cisco

Source: Cisco

Overview

Cisco disclosed a critical authentication bypass in Cisco Catalyst SD-WAN peering authentication tracked as CVE-2026-20127 (CVSS 10.0). Cisco reports limited active exploitation, and external reporting (including Cisco Talos and government partner advisories referenced in public coverage) indicates exploitation activity has occurred since at least 2023 to compromise SD-WAN control components and add rogue peers.

This is high-risk because it affects SD-WAN control/management plane systems used to manage and route traffic across sites.


What You Need to Know

  • CVE: CVE-2026-20127
  • Severity: Critical (CVSS 10.0)
  • Vulnerability type: Authentication bypass in the peering authentication mechanism
  • Attacker position: Unauthenticated, remote attacker can send crafted requests to an affected system
  • What an attacker gains (Cisco):
    • Log in to an affected Catalyst SD-WAN Controller as an internal, high-privileged non-root user
    • Use NETCONF to potentially manipulate SD-WAN fabric configuration
  • Affected deployment types (Cisco):
    • On-Prem Deployment
    • Cisco Hosted SD-WAN Cloud
    • Cisco Hosted SD-WAN Cloud – Cisco Managed
    • Cisco Hosted SD-WAN Cloud – FedRAMP Environment
  • Workarounds: Cisco states no workarounds fully address the vulnerability. (Cisco does provide temporary mitigation guidance while planning upgrades.)

Affected Products

  • Cisco Catalyst SD-WAN Controller (formerly vSmart)
  • Cisco Catalyst SD-WAN Manager (formerly vManage)
    Cisco states impact is regardless of device configuration.

  1. Upgrade to a fixed software release (Cisco’s only complete remediation).
  2. While planning and executing upgrades, apply Cisco’s mitigation guidance to reduce exposure:
    • Follow Cisco’s SD-WAN firewall/ports guidance.
    • Restrict traffic to port 22 and port 830 to allow only known controller IPs and other known IPs.
    • Ensure ACLs/security group rules/firewall rules limit access to SD-WAN control components to only authorized hosts.
  3. Hunt for compromise indicators on any systems that were internet-exposed or otherwise at risk (see below), and open a Cisco TAC case if suspicious activity is found.
    • Cisco encourages collecting an admin-tech bundle (“request admin-tech”) from each control component before engaging TAC.

Fixed Software (Cisco “First Fixed Release”)

Upgrade targets from Cisco’s advisory (match your current release train):

  • If running earlier than 20.9migrate to a fixed release
  • If running 20.9: upgrade to 20.9.8.2
  • If running 20.11: upgrade to 20.12.6.1
  • If running 20.12: upgrade to 20.12.5.3 or 20.12.6.1
  • If running 20.13: upgrade to 20.15.4.2
  • If running 20.14: upgrade to 20.15.4.2
  • If running 20.15: upgrade to 20.15.4.2
  • If running 20.16: upgrade to 20.18.2.1
  • If running 20.18: upgrade to 20.18.2.1

Cisco notes some trains have reached end of software maintenance and recommends upgrading to a supported release.


Indicators of Compromise (Cisco Guidance)

Cisco highlights that internet-exposed Catalyst SD-WAN Controller systems are at risk and recommends:

  • Audit /var/log/auth.log for entries indicating successful key-based auth:
    • Look for “Accepted publickey for vmanage-admin” from unknown or unauthorized IPs, e.g.:
      • Accepted publickey for vmanage-admin from <IP> ...
  • Validate suspicious IPs against:
    • The configured System IPs shown in Catalyst SD-WAN Manager UI (WebUI → Devices → System IP column)
    • Your known management/controller infrastructure and authorized IP ranges
  • Peering event validation: Cisco advises manually validating control connection peering events, focusing on:
    • Unexpected timestamps (outside maintenance windows)
    • Unrecognized public IPs
    • Peer system IPs not matching documented topology
    • Peer types inconsistent with your architecture

If suspicious findings exist, Cisco recommends opening a TAC case and providing admin-tech files.


Additional Resources

Cisco Catalyst SD-WAN Upgrade Matrix

Cisco Remediate Catalyst SD-WAN Security Advisory - February 2026

critical

Cisco Catalyst SD-WAN Manager: CVE-2026-20122 & CVE-2026-20128 Marked as Actively Exploited — Upgrade Required

Updated: March 6th, 2026

Category: Cisco

Source: Cisco

Overview

Cisco updated its advisory for Cisco Catalyst SD-WAN Manager (formerly vManage) to state that two vulnerabilities—CVE-2026-20122 and CVE-2026-20128—are being actively exploited in the wild. Cisco strongly recommends upgrading to a fixed software release; no workarounds are available.

Because SD-WAN Manager is a centralized control/management component, successful exploitation can have broad impact across managed SD-WAN environments.


What You Need to Know

Cisco notes that, among the CVEs covered in this advisory, active exploitation is known only for:

  • CVE-2026-20122 — Arbitrary File Overwrite (High severity)

    • Exploitation requires an authenticated remote attacker with valid read-only credentials that have API access.
    • Successful exploitation can allow overwriting arbitrary files and gaining vmanage user privileges.
  • CVE-2026-20128 — Information Disclosure (Medium severity)

    • Exploitation requires an authenticated local attacker with valid vmanage credentials.
    • The issue can expose a file containing the Data Collection Agent (DCA) password, enabling the attacker to obtain DCA user privileges (and potentially use that credential on other affected systems).
    • Cisco notes releases 20.18 and later are not affected by CVE-2026-20128.

Cisco also states:

  • These vulnerabilities affect Catalyst SD-WAN Manager regardless of device configuration.
  • Other CVEs in the same advisory are not currently known to be exploited.

Affected Products

  • Cisco Catalyst SD-WAN Manager (formerly Cisco SD-WAN vManage)

  1. Upgrade to a fixed software release identified by Cisco (no workarounds available).
  2. Apply Cisco’s general hardening recommendations where applicable, such as:
    • Restrict access from unsecured networks (avoid direct internet exposure; allow only trusted hosts/required ports).
    • Place SD-WAN control components behind filtering devices (firewalls), and limit inbound/outbound traffic to trusted systems.
    • Send logs to an external system and retain them long enough for investigations.
    • Disable HTTP for the web UI and disable unnecessary services (including HTTP/FTP).
    • Change default admin passwords and use least-privilege accounts; use TLS with appropriate certificates.

Fixed Software (Cisco “First Fixed Release”)

Cisco provides these upgrade targets (choose the one matching your current release train):

  • If running earlier than 20.9migrate to a fixed release (Cisco does not provide an in-train fix for older trains).
  • If running 20.9: upgrade to 20.9.8.2
  • If running 20.11: upgrade to 20.12.6.1
  • If running 20.12: upgrade to 20.12.5.3 or 20.12.6.1
  • If running 20.13: upgrade to 20.15.4.2
  • If running 20.14: upgrade to 20.15.4.2
  • If running 20.15: upgrade to 20.15.4.2
  • If running 20.16: upgrade to 20.18.2.1
  • If running 20.18: upgrade to 20.18.2.1

Cisco also notes certain trains are end-of-maintenance and recommends upgrading to a supported release.


Additional Resources

Cisco Catalyst SD-WAN Hardening Guide

 

critical

WordPress: User Registration & Membership Plugin Vulnerability (CVE-2026-1492)

Updated: March 6th, 2026

Category: WordPress

Source: Wordfence

Overview

A critical vulnerability in the User Registration & Membership WordPress plugin (by WPEverest) is being exploited to create administrator accounts without authentication. If successful, attackers can take full control of affected WordPress sites, potentially installing malicious plugins/themes, modifying site code and content, stealing user data, and locking out legitimate admins.


What You Need to Know

  • CVE: CVE-2026-1492
  • Severity: Critical (9.8)
  • What’s vulnerable (plain language): The plugin accepts a user-supplied role during membership registration. Attackers can abuse this to register an account with administrator privileges.
  • Exploitation status: Reported actively exploited. Wordfence reports blocking exploitation attempts in customer environments.
  • Impact: Full WordPress site takeover (admin-level control).

Affected Products

  • WordPress plugin: User Registration & Membership (WPEverest)
  • Affected versions: all versions through 5.1.2
  • Fixed in: 5.1.3
  • Current recommended version (per reporting): 5.1.4

  1. Update the plugin immediately to a fixed release:
    • Upgrade to 5.1.4 (or later), which includes the fix introduced in 5.1.3.
  2. If you cannot update right awaytemporarily disable or uninstall the plugin until you can apply the fixed version.

Indicators of Compromise

No specific IOCs were provided in the article text. Practical checks consistent with the described attack:

  • Review WordPress Users for unexpected new administrator accounts, especially recently created accounts that do not match normal provisioning.
  • Review registration/membership activity around the time suspicious admins appeared.

Additional Notes

  • Because the vulnerability enables pre-authentication privilege escalation, sites with public registration enabled are especially exposed.
  • If an attacker obtained admin access, assume they may have added persistence (e.g., additional admin users, modified plugins/themes). Follow your standard incident response procedures if compromise is suspected.

Additional Resources

Wordfence vulnerability entry

 

none

Notepad++: Update Mechanism Traffic Hijacked in Targeted Campaign

Updated: February 6th, 2026

Category: Notepad++

Source: Notepad++

Overview

Notepad++ disclosed that update traffic for its WinGUp updater was hijacked in a highly targeted campaign that ran for months in 2025. Attackers are reported to have intercepted and selectively redirected update requests for certain users to attacker-controlled infrastructure, serving tampered update manifests by taking advantage of insufficient update verification controls in older Notepad++ versions.

Independent researchers assessing the incident believe the threat actor is likely a Chinese state-sponsored group, consistent with the narrow/precise targeting observed. Rapid7 has also published analysis connecting related activity to the Lotus Blossom threat group and a custom backdoor (“Chrysalis”), though definitive artifacts tying every observed intrusion to the updater mechanism were not confirmed in Rapid7’s report.


What You Need to Know

  • What happened: Selective redirection of Notepad++ update checks to malicious servers, serving tampered update metadata/manifests.
  • Root issue: A security gap in update verification controls in older Notepad++ versions’ WinGUp updater.
  • Timeline (per Notepad++ / hosting provider findings):
    • Campaign began around June 2025
    • Temporary interruption in early September 2025 after kernel/firmware updates
    • Attacker regained access using internal service credentials that were not rotated
    • Activity ended December 2, 2025 when the hosting provider detected the breach and terminated access
  • Targeting: Reported as highly selective (only certain users were redirected).
  • Vendor remediation already taken (per Notepad++):
    • Migrated update infrastructure to a new hosting provider with stronger security
    • Rotated potentially exposed credentials
    • Fixed exploited vulnerabilities and reviewed logs to confirm malicious activity stopped
  • Security hardening in Notepad++ versions:
    • Starting with Notepad++ 8.8.9, WinGUp verifies installer certificates/signatures and the update XML is cryptographically signed.
    • Notepad++ plans to enforce mandatory certificate signature verification in 8.9.2 (planned “about a month” from the announcement date).

Affected Products

  • Notepad++ installations using older versions with WinGUp update verification weaknesses (Notepad++ states protections were improved starting in v8.8.9).
  • Windows endpoints where Notepad++ and its updater (GUP.exe/WinGUp) are used.

  1. Update Notepad++ to at least version 8.8.9 (or later).
    • This version adds stronger update integrity checks (certificate/signature verification and signed update XML).
  2. Monitor Notepad++ communications for the planned 8.9.2 release that will enforce mandatory certificate signature verification, and plan to adopt it when available.

Additional Resources

Rapid 7 technical analysis

critical

n8n: Critical Sandbox Escape Enables Server Takeover via Workflow Expressions (CVE-2026-25049)

Updated: February 6th, 2026

Category: n8n

Source: n8n

Overview

n8n has published a security advisory for CVE-2026-25049, a critical issue that can allow an authenticated user with permission to create or edit workflows to escape n8n’s sandbox and execute arbitrary code. In practical terms, a user who can edit workflows may be able to run commands on the server hosting n8n, potentially leading to full compromise of the n8n instance and any connected services that rely on stored credentials.


What You Need to Know

  • CVE: CVE-2026-25049
  • Impact (plain language): Remote code execution (RCE) on the n8n server. “RCE” means an attacker can cause the server to run attacker-chosen commands.
  • Who can exploit it: An authenticated user who can create or modify workflows (i.e., someone with builder/editor permissions).
  • What’s at risk if exploited (per research reporting):
    • Stored credentials and secrets (e.g., API keys, OAuth tokens)
    • Sensitive configuration and access to connected systems/services
  • Patch context: The issue is described as a bypass/incomplete protection related to prior fixes in this area (per third-party research).

Affected Products

  • n8n (self-hosted) versions prior to the fixed releases listed below (across both the 1.x and 2.x release trains).
  • n8n Cloud status is not confirmed in the GitHub advisory text alone; validate against n8n’s own service communications if you use cloud-hosted n8n.

  1. Upgrade n8n to a fixed version (or later):
    • 1.123.17
    • 2.4.5
    • 2.5.2
  2. If you cannot upgrade immediately, apply n8n’s temporary mitigations:
    • Limit workflow creation and editing permissions to fully trusted users only.
    • Deploy n8n in a hardened environment with restricted OS privileges and network access to reduce impact if exploitation occurs.

Additional Resources

Pillar Security technical analysis

 

none

Betterment: Data Breach Exposes Customer Personal Information (Approx. 1.4M Accounts Reported)

Updated: February 6th, 2026

Category: Betterment

Source: Betterment

Overview

Betterment disclosed a security incident involving unauthorized access to some of its systems in January 2026. Betterment says its investigation found no evidence that customer accounts, passwords, or login information were compromised, but it did confirm a privacy impact involving customer information. Have I Been Pwned (HIBP) reports the dataset contains roughly 1.4 million affected records.

Because Betterment customers were also targeted with fraudulent promotional emails tied to this incident, users should be alert for phishing and scams that use stolen personal details to seem legitimate.


What You Need to Know

  • Who: Betterment (automated investing / robo-advisory platform)
  • What: Unauthorized access to some Betterment systems via a social engineering attack (per Betterment)
  • Data reportedly exposed (HIBP analysis referenced in reporting):
    • Email addresses, names, geographic location data
    • Also reported: dates of birth, physical addresses, phone numbers, device information, job titles, and employer geographic location (in at least some records)
  • Betterment’s key statement: A follow-up forensic investigation (supported by CrowdStrike) found no customer accounts, passwords, or login information were compromised.
  • Scam activity observed: Betterment said attackers sent fraudulent promotional emails (a “reward” scam) attempting to lure customers into sending cryptocurrency to attacker-controlled wallets.

Affected Products

  • Betterment customer accounts whose information was present in the impacted systems/data set (Betterment has not publicly provided a complete list of affected individuals beyond customer notifications/updates).

Follow Betterment’s customer guidance:

  1. Be cautious of promotional/reward messages claiming to be from Betterment, especially offers involving cryptocurrency transfers or “multiplying” funds. Betterment has stated similar messages were fraudulent.
  2. Review Betterment’s customer update for the latest details and any steps Betterment asks customers to take.

Additional Notes

  • Even when passwords are not exposed, personal data (name, email, DOB, address, phone) can be used to make phishing more convincing. Treat unexpected “Betterment” messages with extra skepticism.
  • Betterment’s statements focus on privacy impact rather than direct takeover of Betterment accounts.

Additional Resources

Have I Been Pwned

Bleeping Computer

 

none

Flickr: Potential Data Exposure via Third-Party Email Service Provider

Updated: February 6th, 2026

Category: Flickr

Source: Bleeping Computer

Overview

Flickr is notifying users about a potential data breach tied to a vulnerability in a system operated by one of its third-party email service providers. Flickr says it disabled access to the affected system within hours of learning about the issue. While Flickr says passwords and payment card numbers were not compromised, some user information may have been exposed, which increases the risk of phishing and account-targeting scams.


What You Need to Know

  • When Flickr learned of the issue: February 5, 2026
  • What happened (plain language): A flaw at an external vendor that helps Flickr send email may have allowed unauthorized access to some Flickr member information.
  • What data may have been exposed:
    • Real names
    • Email addresses
    • Flickr usernames
    • Account type
    • IP addresses and general location data
    • Account activity on the platform
  • What was not exposed (per Flickr):
    • Passwords
    • Payment card numbers
  • Scope: Flickr has not publicly stated how many users are affected and has not named the third-party provider.
  • Threat activity: As of the reporting referenced, no public threat actor claim was noted, and Flickr described the risk as potential exposure rather than confirmed theft.

  1. Review your Flickr account settings for any unexpected changes.
  2. Be cautious of phishing emails that reference your Flickr account details. Flickr notes it will never request your password over email.
  3. Change your password on other services if you reused the same password as your Flickr account credentials (Flickr specifically recommends updating passwords if Flickr credentials were reused elsewhere).

Indicators of Compromise

  • Flickr has not provided formal IOCs. Practical user-facing warning signs include:
    • Unexpected changes to Flickr account settings/profile details
    • Emails claiming to be from Flickr that request credentials, prompt urgent action, or direct you to suspicious login pages

Additional Notes

  • Because exposed data may include email + username + IP/general location + activity, attackers can craft more convincing, personalized phishing messages.
  • This incident originates in a third-party provider system, so affected users may receive increased scam/phishing attempts even if their Flickr account itself was not directly accessed.

Additional References:

Security Week

medium

ownCloud Urges Enabling MFA After Credential-Theft Attacks Against Self-Hosted File Sharing

Updated: February 4th, 2026

Category: ownCloud

Source: ownCloud

ownCloud warned customers to enable multi-factor authentication (MFA) after reports that multiple organizations had self-hosted file-sharing environments (including some ownCloud instances) accessed using compromised credentials. ownCloud states the platform itself was not breached and that no zero-day exploits or product vulnerabilities were involved—attackers logged in using credentials stolen by infostealer malware on employee devices.


What You Need to Know

  • Attack chain: Infostealer infection (e.g., RedLine, Lumma, Vidar) → stolen usernames/passwords → login to ownCloud accounts without MFA → data access/exfiltration
  • Risk: If an attacker has valid credentials, they can access data like a legitimate user unless MFA and other controls are in place.
  • Who is most at risk: Organizations with internet-accessible ownCloud/Nextcloud/ShareFile and MFA not enforced.

  1. Enable and enforce MFA for all users (prioritize administrators and privileged accounts).
  2. Reset passwords for users on the instance (especially if any credential exposure is suspected).
  3. Invalidate active sessions to force re-authentication.
  4. Review access logs for:
    • Unfamiliar IP addresses/locations
    • Unusual download volumes
    • Logins at odd hours or repeated failed logins
  5. Contain infostealer risk on endpoints:
    • Ensure EDR/AV is active and updated
    • Investigate devices associated with suspicious logins and run full scans

Additional Resources

ownCloud Advisory

HudsonRock Report

critical

Critical “Ni8mare” Vulnerability Enables Unauthenticated Takeover of Self-Hosted n8n — CVE-2026-21858

Updated: February 4th, 2026

Category: n8n

Source: Github

Researchers disclosed a critical vulnerability dubbed “Ni8mare” (CVE-2026-21858) impacting self-hosted n8n workflow automation instances. The issue can allow a remote, unauthenticated attacker to access sensitive local files and escalate to account takeover and remote code execution (RCE), potentially resulting in full compromise of the n8n server and connected systems.


What You Need to Know

  • CVE: CVE-2026-21858
  • Severity: CVSS 10.0 (Critical)
  • Attack type: Remote, unauthenticated
  • Impact (per Cyera’s demonstrated chain):
    • Arbitrary file read (local files)
    • Authentication bypass via session forgery (using locally stored secrets/data)
    • Remote code execution by creating a workflow that runs commands (e.g., “Execute Command” node)
  • Why this matters: n8n often contains or can access API keys, OAuth tokens, database credentials, CI/CD secrets, cloud access keys, and business data, making it a high-value target.

Affected Products

  • Self-hosted n8n instances running versions prior to 1.121.0 (upgrade required to remediate).

Recommended Actions

  1. Update n8n immediately to version 1.121.0 or later.
  2. If your n8n instance is (or was) exposed to the internet:
    • Restrict public access to n8n (admin UI, webhooks, and form endpoints) to trusted networks/VPN.
    • Review and rotate secrets used/stored by n8n workflows (SaaS tokens, cloud keys, database creds, CI/CD credentials).
    • Review n8n for unexpected new users, new/changed workflows, or unusual executions.

Additional Resources

Cyera Research Labs Report

high

Veeam Backup & Replication 13 Update Fixes High-Severity RCE Issues — CVE-2025-59470 and Others

Updated: February 4th, 2026

Category: Veeam

Source: Veeam

Veeam has released Veeam Backup & Replication 13.0.1.1071 to address multiple vulnerabilities, including issues that allow remote code execution (RCE). Backup servers are high-value targets because compromising them can help attackers disrupt recovery operations and gain access to sensitive systems and data.


What You Need to Know

  • All vulnerabilities below affect Veeam Backup & Replication 13.0.1.180 and all earlier version 13 buildsVeeam 12.x and older are not impacted.

    • CVE-2025-55125 (High, CVSS 7.2): A Backup or Tape Operator can perform RCE as root by creating a malicious backup configuration file.
    • CVE-2025-59468 (Medium, CVSS 6.7): A Backup Administrator can perform RCE as the postgres user by sending a malicious password parameter.
    • CVE-2025-59469 (High, CVSS 7.2): A Backup or Tape Operator can write files as root.
    • CVE-2025-59470 (CVSS 9.0): A Backup or Tape Operator can perform RCE as the postgres user by sending a malicious interval or order parameter.
      • Note: Veeam lists CVSS severity as Critical but adjusts its response rating to High because Backup/Tape Operator roles are already highly privileged and should be tightly controlled.

Affected Products

  • Veeam Backup & Replication 13.0.1.180 and earlier version 13 builds
  • Not affected: Veeam Backup & Replication 12.x and older

  1. Upgrade immediately to Veeam Backup & Replication 13.0.1.1071 (or later).
  2. Audit and restrict privileged Veeam roles (Backup Administrator, Backup Operator, Tape Operator):
    • Remove unnecessary role assignments
    • Ensure strong authentication for privileged accounts
  3. Limit access to VBR management interfaces to trusted admin networks/VPN only and monitor for unusual administrative activity.

Veeam Support Knowledge Base Article

Veeam Support kb4792 

critical

Critical Authentication Bypass Vulnerability in IBM API Connect

Updated: February 4th, 2026

Category: IBM

Source: IBM

IBM has released security updates to address a critical authentication bypass vulnerability in its API Connect enterprise platform that could allow unauthenticated remote attackers to access exposed applications.


What You Need to Know

  • CVE: CVE-2025-13915
  • Severity: Critical (CVSS 9.8)
  • Attack type: Authentication bypass
  • Authentication required: None
  • User interaction: None

Successful exploitation allows attackers to circumvent authentication controls and gain unauthorized access to applications managed by API Connect.


Affected Products

  • IBM API Connect
    • Versions 10.0.11.0
    • Versions 10.0.8.0 through 10.0.8.5

Deployments may be affected across on-premises, cloud, and hybrid environments, including VMware, OpenShift (OCP), and Kubernetes installations.


Recommended Actions

  • Upgrade to the latest IBM API Connect release containing the security fix
  • If immediate patching is not possible, disable self-service sign-up on the Developer Portal (if enabled), as outlined in IBM’s advisory
  • Follow IBM’s environment-specific remediation guidance for VMware, OCP, or Kubernetes deployments

Indicators of Compromise

IBM has not published indicators of compromise related to this vulnerability at the time of disclosure.


Additional Notes

While exploitation has not yet been publicly confirmed, authentication bypass vulnerabilities in API gateways are historically attractive to both financially motivated and state-aligned threat actors due to their ability to expose backend services and sensitive data.


Additional Resources

IBM API Connect Product Information

IBM Update Support Document

critical

Trend Micro Apex Central (On-Prem) Critical Unauthenticated RCE — CVE-2025-69258

Updated: February 4th, 2026

Category: Trend Micro

Source: Trend Micro

Trend Micro patched a critical flaw in Apex Central (on‑premise) that could allow an attacker to remotely take over the Apex Central server without logging in.

In simple terms: the attacker could potentially run their own code on the server with the highest level of Windows permissions (often referred to as “SYSTEM”), which can enable installing malware, changing settings, and using the server to access other systems.


What You Need to Know

  • CVE: CVE-2025-69258
  • Impact: Remote code execution (RCE) — meaning an attacker can make the server run attacker-controlled commands/programs.
  • No login required: The attack is described as unauthenticated.
  • How it’s triggered (reported): A specially crafted message to MsgReceiver.exe over TCP port 20001 can lead to loading an attacker-controlled DLL and executing it.
  • Included in same patch: Two additional DoS issues were also fixed (CVE-2025-69259CVE-2025-69260).

Affected Products

  • Trend Micro Apex Central (on‑premise) installations (apply vendor guidance for exact affected builds)

  1. Patch immediately: upgrade to Critical Patch Build 7190 (or later fixed build).
  2. Reduce exposure (especially until patched):
    • Ensure TCP/20001 is not internet-exposed
    • Restrict Apex Central management access to trusted admin networks/VPN only
  3. Verify the updated build is installed and review firewall rules for any unnecessary inbound access to Apex Central components.

Additional Resources

Tenable Research Advisory

critical

Fortinet FortiSIEM Unauthenticated Remote Command Injection — CVE-2025-64155 (FG-IR-25-772)

Updated: February 4th, 2026

Category: Fortinet

Source: Fortinet

Fortinet published an advisory for CVE-2025-64155, an unauthenticated remote OS command injection vulnerability in FortiSIEM that may allow attackers to execute unauthorized code or commands via crafted TCP requests.


What You Need to Know

  • CVE: CVE-2025-64155
  • Type: OS Command Injection (CWE-78)
  • Attack type: Remote, unauthenticated
  • Important scope note: Fortinet states this issue impacts Super and Worker nodes only (Collectors are not impacted).
  • Workaround (temporary): Restrict access to phMonitor (TCP/7900).

Affected Products / Fixed Versions

  • FortiSIEM Cloud: Not affected
  • FortiSIEM 7.5: Not affected
  • FortiSIEM 7.4.0: Upgrade to 7.4.1+
  • FortiSIEM 7.3.0–7.3.4: Upgrade to 7.3.5+
  • FortiSIEM 7.2.0–7.2.6: Upgrade to 7.2.7+
  • FortiSIEM 7.1.0–7.1.8: Upgrade to 7.1.9+
  • FortiSIEM 7.0.0–7.0.4: Migrate to a fixed release
  • FortiSIEM 6.7.0–6.7.10: Migrate to a fixed release

  1. Upgrade FortiSIEM to the fixed version for your release line (above), or migrate if on 6.7/7.0.
  2. Restrict network access to phMonitor (TCP/7900) to trusted hosts only (temporary mitigation, not a substitute for patching).
  3. If your FortiSIEM was internet-exposed or you suspect compromise, prioritize log review and IR:
    • Horizon3.ai notes PHL_ERROR entries in /opt/phoenix/log/phoenix.logs may help identify abuse patterns.

Additional Resources

Fortinet PSIRT

Horizon3 Coverage

 

 

 

 

medium

Cisco ISE/ISE-PIC Arbitrary File Read Vulnerability — CVE-2026-20029

Updated: February 4th, 2026

Category: Cisco

Source: Cisco

Cisco has released security updates for an XML External Entity (XXE) processing vulnerability in the licensing features of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC). An authenticated remote attacker with administrative privileges could exploit this issue to read arbitrary files from the underlying operating system and access sensitive information.

Cisco confirms proof-of-concept (PoC) exploit code is available, but reports no known malicious exploitation at the time of the advisory.


What You Need to Know

  • CVE: CVE-2026-20029
  • Type: XXE / Improper XML parsing (CWE-611)
  • CVSS (Cisco): 4.9 (Medium) 
  • Attack requirements: Remote attacker must have valid administrative credentials and must be able to upload a malicious file via the web-based management interface.
  • Impact: Information disclosure—ability to read arbitrary OS files, potentially exposing sensitive data.

Affected Products

At the time of publication, Cisco states this vulnerability affects Cisco ISE and Cisco ISE-PIC regardless of device configuration.

Fixed releases (Cisco):

  • Earlier than 3.2: Migrate to a fixed release
  • 3.2: Upgrade to 3.2 Patch 8
  • 3.3: Upgrade to 3.3 Patch 8
  • 3.4: Upgrade to 3.4 Patch 4
  • 3.5: Not vulnerable

Recommended Actions

  1. Upgrade to a fixed version immediately:
    • If you run 3.2, update to Patch 8
    • If you run 3.3, update to Patch 8
    • If you run 3.4, update to Patch 4
    • If you run earlier than 3.2migrate to a supported fixed release
  2. Lock down administrative access (not a workaround, but reduces exposure):
    • Restrict the ISE/ISE-PIC management interface to trusted admin networks/VPN only
    • Enforce MFA for administrative access where possible
    • Review admin account memberships/privileges and remove unnecessary accounts
  3. Monitor for suspicious admin activity:
    • Unexpected file uploads via the management interface
    • Unusual admin logins (new IPs, off-hours, abnormal patterns)

 

Additional Resources

Cisco Advisory

Bleeping Computer Coverage

high

Microsoft January 2026 Patch Tuesday Fixes 114 Vulnerabilities, Including 3 Zero-Days

Updated: February 4th, 2026

Category: Microsoft

Source: Microsoft

Microsoft’s January 2026 Patch Tuesday includes fixes for 114 vulnerabilities, including three zero-days (one actively exploited) and eight Critical vulnerabilities.


What You Need to Know

  • Total fixed: 114 vulnerabilities
  • Zero-days fixed (3):
    • CVE-2026-20805 — Desktop Window Manager information disclosure (actively exploited)
    • CVE-2026-21265 — Secure Boot certificate expiration security feature bypass (publicly disclosed)
    • CVE-2023-31096 — Agere Soft Modem driver elevation of privilege (publicly disclosed; vulnerable drivers removed in this update)
  • Critical vulns addressed: 8 total (6 RCE, 2 EoP per reporting)
  • Secure Boot note: Updates support renewal of expiring Secure Boot certificates issued in 2011 (expirations begin in June 2026), helping maintain the Secure Boot trust chain.

  1. Prioritize deploying January 2026 Windows security updates across endpoints and servers, starting with:
    • Internet-facing/remote access systems
    • Privileged user endpoints
    • High-value servers (identity, management, virtualization)
  2. Validate Secure Boot health and ensure devices continue receiving quality updates ahead of the 2011 certificate expirations.

 

medium

Microsoft: January 2026 Windows Update Can Block Windows 365 / AVD Remote Desktop Connections (KB5074109)

Updated: February 4th, 2026

Category: Microsoft

Source: Microsoft

Microsoft says a recent Windows update intended to improve security functionality is causing authentication errors and connection failures when connecting to Windows 365 Cloud PCs and Azure Virtual Desktop (AVD). The issue is associated with the January 2026 KB5074109 security update and is being tracked as incident WP1217671.


What You Need to Know

  • Issue: Failed connection attempts / sign-in failures to Cloud PC sessions and Remote Desktop connections
  • Triggered by: KB5074109 (January 2026 Windows security update)
  • Affected platforms (per reporting):
    • Windows 11 24H2 and 25H2
    • Windows Server 2025, 2022, 2019
  • Status: Ongoing service degradation; Microsoft investigating and working on mitigation

  1. If users are blocked from Cloud PCs, use Microsoft’s temporary alternatives:
  2. For managed environments:
    • Identify endpoints/servers that installed KB5074109
    • Communicate temporary connection methods to impacted users and helpdesk
    • Monitor Microsoft’s incident/Windows Release Health updates for an official fix or rollback guidance

 

high

Palo Alto PAN-OS/Prisma Access DoS Vulnerability Can Force Firewalls into Maintenance Mode — CVE-2026-0227

Updated: February 4th, 2026

Category: Palo Alto

Source: Palo Alto

Palo Alto Networks has patched a vulnerability (CVE-2026-0227) that could allow an unauthenticated attacker to trigger a denial-of-service (DoS) condition on affected firewalls. Repeated attempts can cause the firewall to enter maintenance mode, disrupting normal firewall protections. The issue impacts PAN-OS 10.1 and later when GlobalProtect gateway or portal is enabled, and also affects certain Prisma Access configurations.


What You Need to Know

  • CVE: CVE-2026-0227
  • Impact: Unauthenticated DoS; repeated triggering can push a firewall into maintenance mode
  • Affected when: GlobalProtect gateway or portal is enabled
  • Status: Vendor reported no evidence of active exploitation at time of advisory publication
  • Prisma Access: Palo Alto indicates most cloud instances have already been upgraded; remaining customers are being scheduled

Affected Products

  • PAN-OS firewalls running PAN-OS 10.1+ with GlobalProtect gateway or portal enabled
  • Prisma Access configurations as described in the vendor advisory

  1. Upgrade PAN-OS / Prisma Access to a fixed release per Palo Alto Networks guidance. From the information provided:
    • PAN-OS 12.1: upgrade to 12.1.4+
    • PAN-OS 11.2 / 11.1 / 10.2: upgrade to the vendor-listed fixed hotfix release (varies by minor version)
    • Unsupported PAN-OS: upgrade to a supported fixed version
  2. Prioritize internet-exposed GlobalProtect portals/gateways for patching first.
  3. Review exposure and monitoring:
    • Confirm which devices have GlobalProtect enabled and exposed externally
    • Monitor for repeated crash/DoS symptoms, unexpected reboots, or entry into maintenance mode

Additional Resources

Palo Alto Advisory

medium

“Reprompt” Technique Abused Copilot Personal Sessions for Stealth Data Exfiltration (Patched)

Updated: February 4th, 2026

Category: Microsoft

Source: Varonis

Researchers disclosed an attack method dubbed “Reprompt” that could allow an attacker to hijack a user’s Microsoft Copilot Personal session after a single click on a crafted Copilot link. The technique used prompt injection delivered via a URL parameter to issue commands in the user’s authenticated session and exfiltrate data through follow-on requests.

Microsoft has addressed the issue (reported fixed in January 2026 Patch Tuesday), and there is no evidence of active exploitation reported.


What You Need to Know

  • Impacted product: Copilot Personal (consumer)
  • Not impacted (per Varonis): Microsoft 365 Copilot (enterprise), which has additional tenant-level controls (e.g., Purview auditing/DLP/admin restrictions).
  • Attack requirements: One-click user interaction (phishing link). No plugins required.
  • Impact: Potential theft of Copilot conversation data and other accessible personal Microsoft data depending on permissions/context.
  • Status: Patched; no in-the-wild exploitation reported.

  1. Apply the latest Windows security updates (January 2026 Patch Tuesday or later) across endpoints.
  2. Reinforce phishing-resistant user practices:
    • Treat unsolicited “Copilot links” as suspicious
    • Use safe-link rewriting/scanning if available
  3. For organizations that allow Copilot Personal on corporate devices, consider:
    • Reviewing policy on consumer AI assistants on managed endpoints
    • Monitoring for unusual browser activity and suspicious outbound connections associated with link-based phishing campaigns

Additional Resources

Varonis Blog

high

“WhisperPair” Fast Pair Flaw Lets Attackers Hijack and Potentially Eavesdrop via Bluetooth Audio Devices — CVE-2025-36911

Updated: February 4th, 2026

Category: Google

Source: COSIC Research Group

KU Leuven researchers disclosed WhisperPair (CVE-2025-36911), a vulnerability affecting many Bluetooth audio accessories that support Google Fast Pair. Due to incorrect Fast Pair implementations in some accessories, an attacker within Bluetooth range may be able to forcibly pair with a vulnerable device without user consent, potentially enabling device hijacking and eavesdropping through the accessory microphone.


What You Need to Know

  • CVE: CVE-2025-36911
  • Attack requirements: Attacker must be within Bluetooth range (tested up to 14 metres) using commodity Bluetooth hardware; attack can succeed quickly (reported median ~10 seconds).
  • Impact: Unauthorized pairing can give an attacker control of the accessory (including audio playback and, where supported, microphone recording).
  • Tracking risk: In certain conditions (e.g., accessory never paired with an Android device), an attacker may be able to add the accessory to their account and track it via Google’s Find Hub network.
  • Important: Disabling Fast Pair on a phone does not mitigate the issue because Fast Pair support cannot be disabled on the accessory.

Affected Products

Bluetooth accessories that support Google Fast Pair, depending on vendor firmware implementation. Affected scope varies by model and firmware version. For a searchable list of devices visit https://whisperpair.eu/vulnerable-devices. 


  1. Update accessory firmware as soon as updates are available from the manufacturer (this is the primary/only fix).
  2. Check whether your specific device is listed as vulnerable and whether a patch is available:
  3. For high-risk users/environments until confirmed patched:
    • Avoid using vulnerable Bluetooth accessories for sensitive conversations
    • Power off accessories when not in use and avoid leaving them active in public/shared spaces

none

Security Alert: Active phishing emails impersonating LastPass “vault backup” maintenance notice

Updated: February 4th, 2026

Category: LastPass

Source: LastPass

LastPass is warning about an active phishing campaign that uses emails claiming LastPass is performing maintenance and urging users to “back up your vault in the next 24 hours.” These emails are not legitimate. The links lead to phishing pages designed to steal credentials.


What You Need to Know

  • The campaign began on or around Jan 19, 2026.
  • The emails try to create urgency (“24 hours”)—a common phishing tactic.
  • LastPass states clearly: LastPass is NOT asking customers to back up their vaults in the next 24 hours.
  • The email link routes users to a malicious URL hosted on Amazon S3, then redirects to mail-lastpass[.]com.

Affected Products

  • LastPass customer accounts (anyone receiving these phishing emails).

  1. Do not click links in emails that claim you must back up your vault within 24 hours.
  2. Remember: LastPass will never ask for your master password.
  3. If you are unsure whether a LastPass-branded email is legitimate, submit it to[email protected].
  4. LastPass states it is working with third-party partners to have the malicious domain taken down.

Indicators of Compromise (IOCs) (from LastPass)

 

Email “From” addresses observed

  • support@sr22vegas[.]com
  • support@lastpass[.]server8
  • support@lastpass[.]server7
  • support@lastpass[.]server3

Email subject lines observed

  • “LastPass Infrastructure Update: Secure Your Vault Now”
  • “Your Data, Your Protection: Create a Backup Before Maintenance”
  • “Don't Miss Out: Backup Your Vault Before Maintenance”
  • “Important: LastPass Maintenance & Your Vault Security”
  • “Protect Your Passwords: Backup Your Vault (24-Hour Window)”

Header information / associated IPs (as listed by LastPass)

  • 192.168.16[.]19
  • 172.23.182[.]202

Additional Resources

Bleeping Computer Coverage

LastPass Advisory (with Screenshots)

critical

Security Alert: Cisco Unified Communications products Critical RCE (CVE-2026-20045) — exploitation observed

Updated: February 4th, 2026

Category: Cisco

Source: Cisco

Cisco has released updates for a Critical vulnerability (CVE-2026-20045) that could allow an unauthenticated remote attacker to run commands on the underlying operating system of affected Cisco Unified Communications products by sending crafted HTTP requests to the web-based management interface.

Cisco confirms it is aware of attempted exploitation in the wild.


What You Need to Know

  • What it is: Remote Code Execution (RCE) via the web-based management interface.
  • Why it matters: Cisco says a successful exploit could allow an attacker to gain user-level OS access and then elevate privileges to root.
  • Severity: Cisco rates this advisory Critical (CVSS base score 8.2), noting the potential for root compromise.
  • Exploitation: Cisco PSIRT is aware of attempted exploitation in the wild.
  • Workarounds: None (Cisco states updates are required).

Affected Products

Cisco states this vulnerability affects the following products regardless of device configuration:

  • Cisco Unified Communications Manager (Unified CM)
  • Cisco Unified CM Session Management Edition (SME)
  • Cisco Unified CM IM & Presence Service (IM&P)
  • Cisco Unity Connection
  • Cisco Webex Calling Dedicated Instance

Cisco also lists products confirmed not vulnerable in the advisory (see “Products Confirmed Not Vulnerable”).


  1. Upgrade to a fixed release (preferred)

    • Cisco strongly recommends upgrading to an appropriate fixed software release listed in the advisory.
  2. If you cannot upgrade immediately, apply the Cisco patch file for your exact version

    • Cisco provides version-specific patch files and notes: patches are version-specific—review the README attached to the patch before applying.

Fixed software guidance (from Cisco’s tables):

Unified CM / Unified CM IM&P / Unified CM SME / Webex Calling Dedicated Instance

  • 12.5: Migrate to a fixed release.
  • 14: 14SU5 or apply patch:
    • ciscocm.V14SU4a_CSCwr21851_remote_code_v1.cop.sha512
  • 15: 15SU4 (Mar 2026) or apply patch:
    • ciscocm.V15SU2_CSCwr21851_remote_code_v1.cop.sha512
    • ciscocm.V15SU3_CSCwr21851_remote_code_v1.cop.sha512

Cisco Unity Connection

  • 12.5: Migrate to a fixed release.
  • 14: 14SU5 or apply patch:
    • ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512
  • 15: 15SU4 (Mar 2026) or apply patch:
    • ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512

 

critical

SmarterMail: Critical Auth Bypass Enables Admin Account Takeover (CVE-2026-23760) — Active Automated Exploitation Reported

Updated: February 4th, 2026

Category: SmarterMail

Source: watchTowr

SmarterMail servers are being targeted in automated attacks exploiting a critical flaw that allows an attacker to reset a system administrator password without permission. In simple terms: if your SmarterMail server is exposed and unpatched, an attacker may be able to take over the admin account without logging in, and then use built-in admin features to run commands on the server.

SmarterTools shipped emergency security fixes in January 2026; upgrading is urgent.


What You Need to Know

  • CVE: CVE-2026-23760
  • Vulnerability type (plain language): Authentication bypass in the password reset API. The /api/v1/auth/force-reset-password endpoint can accept anonymous requests and (in vulnerable builds) does not properly verify credentials/tokens when resetting system administrator accounts.
  • Why this becomes “server takeover”: watchTowr explains that once an attacker gains admin access, SmarterMail exposes functionality that can execute operating system commands (for example via Settings → Volume Mounts), which can lead to remote code execution (RCE).
  • Exploitation status: Reported in the wild, including mass/automated exploitation
  • Fixed builds (vendor):
    • Build 9511 (Jan 15, 2026) — marked as “IMPORTANT: Critical security fixes”
    • Build 9518 (Jan 22, 2026) — also “IMPORTANT: Critical security fixes” and strongly recommended by SmarterTools

Affected Products

  • SmarterTools SmarterMail versions prior to Build 9511 

  1. Upgrade SmarterMail immediately to a fixed build.
    • At minimum: Build 9511 or later
    • Preferred (vendor strongly recommends due to critical fixes): Build 9518
  2. Confirm the instance is running the updated build after maintenance.

Indicators of Compromise

No official vendor IOC list is provided in the release notes. However, watchTowr highlights a strong detection lead:

  • Unexpected requests or audit log entries containing force-reset-password (e.g., calls to /api/v1/auth/force-reset-password) may indicate password reset abuse.

If you see evidence of unauthorized admin password resets, treat the environment as potentially compromised and follow your organization’s incident response process.


Additional Resources

SmarterMail Release Notes (Build 9511/9518):

SmarterMail Downloads Page

high

Security Alert: Possible attacker abuse of SSO admin login on Fortinet devices

Updated: February 4th, 2026

Category: Fortinet

Source: Fortinet

Fortinet is warning about attackers logging in to Fortinet devices as an administrator using SSO and then making changes on the device.

SSO (Single Sign-On) means you log in using an online identity service (instead of a local username/password on the firewall). In the cases Fortinet investigated, attackers used SSO to get admin access and then often created a new local admin account so they can get back in later.


What You Need to Know

This alert matters most if you:

  • Use a FortiGate firewall (FortiOS), or manage Fortinet edge devices, and
  • Allow remote administrative login (especially from the internet), and/or
  • Have FortiCloud SSO or other SAML-based SSO enabled for administrator login.

Fortinet says:

  • They have identified an issue and are working on a fix.
  • They have seen activity that suggests a new attack path, including cases where a device was fully updated at the time.
  • While the observed activity involves FortiCloud SSO, Fortinet notes the issue is relevant to SAML SSO more broadly.

Affected Products

Fortinet’s blog focuses on:

  • FortiOS (FortiGate)

Fortinet also references an earlier advisory affecting these products when FortiCloud SSO is enabled:

  • FortiOS
  • FortiWeb
  • FortiProxy
  • FortiSwitch Manager

(If you manage any of these and have SSO admin login enabled, pay attention.)


Do the following steps in order of priority:

  1. Limit who can reach the admin login page
  • Fortinet’s best practice is: do not allow unrestricted administration from the internet.
  • If you must administer remotely, Fortinet recommends using a local-in policy to allow admin access only from trusted IP addresses (for example, your office or VPN IP range).
  1. Disable FortiCloud SSO for admin login (workaround)
    Fortinet recommends disabling FortiCloud SSO as an additional workaround. They note this should be done together with restricting admin access, because it won’t stop every possible SAML/SSO scenario.
  • GUI: System → Settings → “Allow administrative login using FortiCloud SSO” = Off
  • CLI:
    config system global
        set admin-forticloud-sso-login disable
    end
  1. Watch for Fortinet’s update
  1. If you find signs of compromise
    Fortinet recommends treating the device and its configuration as compromised and:
  • Make sure you are running the latest firmware (Fortinet recommends latest release 7.6 where possible).
  • Restore a known-good configuration or audit for unauthorized changes (especially new admin accounts and VPN changes).
  • Rotate credentials, including any connected LDAP/AD accounts (Fortinet links guidance).

Indicators of Compromise (IOCs) (from Fortinet)

Check your Fortinet logs for:

Suspicious SSO usernames

Suspicious source IP addresses

  • 104.28.244.115
  • 104.28.212.114

Additional IPs observed by a third party (not Fortinet):

  • 37.1.209.19
  • 217.119.139.50

Unexpected local admin accounts often created

  • audit
  • backup
  • itadmin
  • secadmin
  • support

Fortinet also provides example log messages showing:

  • Successful admin login via method="sso"
  • A new admin being added under system.admin

Additional Notes

  • You do not need to understand SAML details to act on this alert. The practical takeaway is: reduce exposure of the admin interface and disable FortiCloud SSO admin login if you don’t absolutely need it.
  • Fortinet expects the attacker details (usernames/IPs) may change, so also look for any unexpected SSO admin logins and new local admin accounts.

Additional Resources

Arctic Wolf Blog

Bleeping Computer Coverage

none

Microsoft: Outlook for iOS on iPad May Crash or Freeze on Launch (v5.2602.0) — Incident EX1220516

Updated: February 4th, 2026

Category: Microsoft

Source: Microsoft

Microsoft reports an issue where Outlook for iOS on iPads may crash or freeze when the app is opened. Microsoft attributes this to a coding error introduced in Outlook for iOS version 5.2602.0. A fix has been developed, but distribution may take time due to Apple App Store review and rollout.


What You Need to Know

  • Incident: EX1220516 (Microsoft 365 admin center)
  • Impacted platform: iPad (Outlook for iOS)
  • Impacted version: Outlook for iOS 5.2602.0
  • User impact: Outlook may freeze or crash at launch
  • Vendor explanation (plain language): A code change intended to refresh tabs (instead of restarting them) when certain configuration “feature flags” change is causing instability.
  • Fix status: Microsoft says a fixed app version is being prepared and may take up to 24 hours to reach the App Store.

Affected Products

  • Microsoft Outlook for iOS version 5.2602.0 running on iPad devices

  1. Workaround: Open Outlook while Airplane Mode is enabled, then re-enable Wi‑Fi and/or cellular data after Outlook launches.
  2. Update Outlook as soon as the fixed version becomes available in the Apple App Store (availability may lag due to Apple’s release process).

Additional Notes

  • This issue may affect all iPad users running Outlook for iOS 5.2602.0 (per Microsoft’s statement).
  • If you manage iPads centrally, consider communicating the workaround to users and advising them to check for an Outlook update later today.

Sign up for our cybersecurity newsletter