All news in category “Security Advisory and Patch Watch”

⚠️ The Drupal Security Team announced a planned core security release for all supported branches on May 20, 2026, from 5–9 p.m. UTC. Administrators are urged to reserve that window because exploits may emerge within hours or days, and to update to the latest patch for their branch in advance. Patches are expected for 11.3.x, 11.2.x, 10.6.x and 10.5.x, with mitigation guidance and instructions for end-of-life releases included.

🔒 InfoGuard Labs disclosed multiple critical vulnerabilities in SEPPMail Secure E-Mail Gateway that allow unauthenticated remote code execution, path traversal, deserialization flaws, and exposure of sensitive server data. Researchers demonstrated an exploit chain leveraging the LFT path traversal (CVE-2026-2743) to overwrite syslog configuration and obtain a Perl reverse shell, enabling full appliance takeover and mail interception. SEPPmail has released fixes across versions 15.0.2.1, 15.0.3 and 15.0.4 and urges administrators to apply updates immediately.

⚠️ Some Windows 11 devices fail to complete Microsoft’s May Security Update when the EFI System Partition (ESP) has roughly 10MB or less free, producing the rollback message "Something didn’t go as planned. Undoing changes." Microsoft suggested a registry tweak or rollback while consultants warn this leaves endpoints unpatched and undermines trust in update validation. Experts recommend resizing partitions, testing fixes, and adding ESP checks to endpoint health.

🔒 Researchers report a six-year-old elevation-of-privilege vulnerability in the Windows Cloud Filter driver cldflt.sys remains exploitable despite a 2020 patch. Nightmare Eclipse reworked a Google Project Zero PoC by James Forshaw into an exploit called MiniPlasma, which can elevate a local user to SYSTEM on many builds. The issue, tracked as CVE-2020-17103, involves undocumented key-creation behavior and is race-dependent; Microsoft declined immediate comment.

⚠️A new zero-day called YellowKey, published this week by a researcher using the alias Nightmare-Eclipse, demonstrates a reliable bypass of default Windows 11 BitLocker deployments. The exploit circumvents disk encryption that relies solely on the TPM-stored key and requires physical access to the affected machine. Organizations that mandate BitLocker, including government contractors, should reassess device physical security and BitLocker configuration.

🔒 Ivanti, Fortinet, SAP, VMware, n8n and dozens of other vendors have released security updates addressing multiple high- and critical-severity flaws that enable authentication bypass, information disclosure, local privilege escalation, and remote code execution. Highlights include a critical Ivanti Xtraction file-name control flaw (CVE-2026-8043), Fortinet authentication and sandbox execution bugs, SAP SQL injection and missing-auth issues, and a TOCTOU local privilege escalation in VMware Fusion. Administrators should prioritize applying the vendor-recommended patches immediately.

🛡️Chaotic Eclipse has published a proof-of-concept for a Windows privilege escalation zero-day, dubbed MiniPlasma, which targets the Cloud Files Mini Filter Driver (cldflt.sys) in the HsmOsBlockPlaceholderAccess routine. Originally reported to Microsoft in September 2020 and linked to CVE-2020-17103, the researcher says the exact issue remains unpatched. Tests show it can spawn a SYSTEM shell on fully patched Windows 11 systems running May 2026 updates, though success rates vary due to a race condition.

⚠️ Microsoft confirmed that the May 2026 Windows 11 cumulative update KB5089549 can fail to install and roll back on systems with limited free space on the EFI System Partition (ESP). Installation may proceed to about 35–36% before aborting with 0x800f0922 errors and the rollback message. Logs show SpaceCheck: Insufficient free space and servicing boot file errors. Microsoft advises using Known Issue Rollback or applying a Group Policy in managed environments to mitigate.

🔒 A proof-of-concept exploit is available for the recently patched DirtyDecrypt (aka DirtyCBC) local privilege escalation in the Linux kernel's rxgk module, enabling attackers to gain root on systems built with CONFIG_RXGK enabled. The flaw, independently reported by the V12 team on May 9, aligns with CVE-2026-31635, which was patched in late April. The PoC has been tested against Fedora and mainline kernels and mainly affects distributions that track upstream releases, such as Fedora, Arch, and openSUSE Tumbleweed. Users should apply kernel updates or use recommended mitigations until patches are deployed.

🔒 A researcher known as Chaotic Eclipse published a proof-of-concept exploit and a compiled executable for a Windows privilege escalation zero-day named MiniPlasma. The researcher says the issue affects the cldflt.sys Cloud Filter driver and an undocumented CfAbortHydration API, and claims the bug traces back to a 2020 report (CVE-2020-17103). BleepingComputer tested the PoC on a fully patched Windows 11 Pro system (May 2026 updates) and reproduced SYSTEM-level access. Microsoft has been contacted for comment.

⚠️ A high-severity heap buffer overflow (CVE-2026-42945, CVSS 9.2) in the ngx_http_rewrite_module of NGINX Plus and NGINX Open (versions 0.6.27–1.30.0) is being exploited in the wild shortly after disclosure. The flaw, reportedly introduced in 2008, can allow unauthenticated attackers to crash worker processes or, when Address Space Layout Randomization (ASLR) is disabled and certain configurations are present, achieve remote code execution. Users are advised to apply F5's fixes and review server configurations urgently.

🔒 A security researcher alleges Microsoft quietly changed Azure Backup for AKS behavior after rejecting his March disclosure and blocking a CVE, arguing the issue required pre-existing administrative access. The reported flaw purportedly allowed a user with only the Backup Contributor role to gain cluster-admin privileges via Trusted Access. Microsoft maintains the behavior was expected and that no product changes were made, yet the researcher observed new permission checks and a shift to manual Trusted Access configuration after disclosure. CERT/CC validated the bug but the CVE process stalled, leaving defenders with limited visibility.

⚠️A critical vulnerability in the Funnel Builder WordPress plugin (affecting versions before 3.15.0.3) is being actively exploited to inject malicious JavaScript into WooCommerce checkout pages. Sansec reports attackers are planting fake Google Tag Manager-like scripts in the plugin's External Scripts setting to load payment skimmers. FunnelKit released a patch in v3.15.0.3; site owners should update immediately and inspect checkout scripts.

⚠️Microsoft has warned of a zero-day cross-site scripting vulnerability in Exchange Outlook Web Access (OWA) that can be triggered by a specially crafted email. The flaw (CVE-2026-42897) is being actively exploited and affects Exchange Server 2016, 2019, and Server Subscription Edition, while Exchange Online is unaffected. Microsoft has published an automatic mitigation via the Exchange EM Service; administrators should enable EM Service or run the Exchange on-premises Mitigation Tool (EOMT) if servers are air-gapped. The interim mitigations can disrupt OWA features such as calendar printing and inline image display, and a formal security update will be released later.

🔒 Amazon RDS for PostgreSQL now offers Extended Support minor versions 11.22-rds.20260224, 12.22-rds.20260224, and 13.23-rds.20260224. We recommend upgrading to these releases to address known security vulnerabilities and bug fixes present in prior PostgreSQL versions. Use automatic minor version upgrades during scheduled maintenance windows and the AWS Organizations Upgrade Rollout Policy to stage upgrades across accounts. Consider Blue/Green deployments with physical replication to minimize downtime when applying minor version updates.

🔒 The Avada Builder WordPress plugin contained two serious vulnerabilities impacting an estimated one million active installations. One flaw (CVE-2026-4782) allows authenticated users with subscriber access to read arbitrary server files via the plugin’s shortcode-rendering and the custom_svg parameter, exposing sensitive files like wp-config.php. The other issue (CVE-2026-4798) is a time-based blind SQL injection exploitable without authentication if WooCommerce was previously installed and then deactivated. Administrators are urged to update to Avada Builder 3.15.3 immediately.

🔒 Cybersecurity researchers disclosed four vulnerabilities in OpenClaw — collectively named Claw Chain — that can be chained for data theft, privilege escalation, and persistence. The flaws include two TOCTOU race conditions enabling reads and writes outside sandbox mounts, an allowlist bypass via heredoc expansion, and an access-control weakness allowing owner impersonation. Vendor patches are available in version 2026.4.22; users are urged to update immediately. Successful exploitation can expose credentials, modify configurations, and plant backdoors while mimicking normal agent behavior to evade detection.

⚠️ Microsoft has disclosed a high-severity zero-day, CVE-2026-42897, in on-premises Exchange Server that could allow an attacker to execute arbitrary code by sending a specially crafted email to an Outlook user. The flaw is an XSS vulnerability affecting all supported versions of Exchange 2016, 2019 and Subscription Edition, but not Exchange Online. Microsoft recommends enabling the Exchange Emergency Mitigation (EM) Service, which is applied by default, and provides an alternative manual mitigation via the Exchange On-premises Mitigation Tool for air-gapped environments while patches are developed.

⚠ Cisco has disclosed a maximum-severity authentication bypass in its Catalyst SD-WAN Controller and Catalyst SD-WAN Manager platforms that has been observed exploited in the wild. The flaw lets unauthenticated remote actors craft control-connection requests to bypass peer authentication and gain administrative privileges. Cisco has released updates and urges immediate patching because no workarounds exist. The issue is tracked as CVE-2026-20182 with a CVSS score of 10.0 and was added to CISA’s KEV list.

⚠️ Microsoft disclosed a new actively exploited vulnerability, CVE-2026-42897 (CVSS 8.1), a spoofing bug caused by cross-site scripting in on-premises Exchange Server. An attacker can execute arbitrary JavaScript by sending a crafted email that is opened in Outlook Web Access. Microsoft offers a temporary mitigation via the Exchange Emergency Mitigation Service (enabled by default) and provides an EOMT PowerShell script for environments that cannot use the service; Exchange Online is not affected.