< ciso
brief />
Tag Banner

All news with #active exploitation tag

684 articles

Winning 54% of the Time: SOC Decisions and Threats

🎾 This week’s Threat Source reflects on decision-making in cybersecurity through a tennis analogy, arguing defenders need context and resilience rather than perfection. Cisco Talos details the China-nexus actor UAT-7810 expanding ORB networks by exploiting Ruckus and ASUS router vulnerabilities and deploying new backdoors like LONGLEASH and DOGLEASH. Additional briefs cover an AI-assisted ransomware incident, AirDrop/Quick Share flaws, a Tenda firmware backdoor, Estonia’s AI agent IDs, and new phishing and coinminer detections.
read more β†’

CISA directs rapid patching of Langflow auth bypass

πŸ”’ The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to urgently patch an actively exploited Langflow authentication bypass (CVE-2026-55255) that lets authenticated actors access other users' flows by abusing the /api/v1/responses endpoint with a victim's UUID. First observed in the wild by Sysdig on June 25, attackers sought code execution, implants, compute and credentials. CISA added the flaw to its Known Exploited Vulnerabilities Catalog and required FCEB remediation under BOD 26-04 by Friday.
read more β†’

CISA directs federal patch for ColdFusion zero-day

πŸ”’ The U.S. Cybersecurity and Infrastructure Security Agency has ordered federal agencies to patch an actively exploited, maximum-severity vulnerability in Adobe ColdFusion (CVE-2026-48282) by Friday. Adobe published fixes for affected ColdFusion versions last week and urged administrators to install updates immediately. The flaw enables unauthenticated remote code execution in low-complexity attacks and has been observed in the wild soon after disclosure. CISA added the issue to its KEV catalog and invoked BOD 26-04 to enforce remediation timelines for FCEB agencies.
read more β†’

CISA Adds Four Newly Exploited Vulnerabilities

πŸ›‘οΈ The US Cybersecurity and Infrastructure Security Agency (CISA) added four vulnerabilities to its Known Exploited Vulnerabilities catalog, citing active exploitation. The flaws include critical Adobe ColdFusion path traversal (CVE-2026-48282), Joomlack Page Builder improper access control (CVE-2026-56290), Langflow authorization bypass (CVE-2026-55255), and JoomShaper SP Page Builder unrestricted file upload (CVE-2026-48908). Exploitation observed ranged from immediate post-disclosure attacks to targeted campaigns stealing credentials and deploying web shells. Agencies are urged to apply patches by July 10, 2026.
read more β†’

16-year KVM bug allows guest-to-host escape

πŸ›‘οΈ A critical KVM vulnerability, tracked as CVE-2026-53359 and nicknamed Januscape, lets an attacker with root in a guest VM execute code on the Linux host by exploiting a use-after-free in KVM's shadow MMU emulation on x86. Discovered by Hyunwoo Kim and present for 16 years, it affects both Intel and AMD servers and can enable host kernel panic, denial-of-service, or full RCE; some distros also allow local escalation via world-writable /dev/kvm. The Linux kernel was patched on June 16, but distribution rollouts may lag.
read more β†’

Undocumented backdoor in Tenda router firmware exposed

πŸ”’ CERT/CC warns that an undocumented authentication backdoor in multiple Tenda router firmware versions (CVE-2026-11405) can grant administrative access via an alternate plaintext password stored in sys.rzadmin.password. The backdoor bypasses normal MD5 authentication in the '/bin/httpd' login() function, accepting any username if the backdoor password is supplied. No patch is available and Tenda could not be reached; users are advised to disable remote web management and restrict LAN exposure.
read more β†’

Adobe warns of exploited maximum severity ColdFusion flaw

πŸ›‘οΈ Adobe has urged ColdFusion customers to patch immediately after at least one maximum severity flaw was reported as being exploited. The company released fixes for 11 CVEs in the APSB26-68 bulletin on June 30, six carrying a CVSS score of 10. Researchers reported that CVE-2026-48282, a path traversal allowing potential arbitrary code execution, was targeted within hours of disclosure. There are 775 exposed ColdFusion instances online, increasing the risk for rapid exploitation.
read more β†’

Threat actors scan for Gitea Docker authentication flaw

πŸ” Security researchers report that threat actors have started probing a critical Gitea Docker image vulnerability, CVE-2026-20896 (CVSS 9.8). The flaw arises because the official Docker image sets REVERSE_PROXY_TRUSTED_PROXIES = * by default, allowing unauthenticated clients to send an X-WEBAUTH-USER header and gain elevated access when reverse-proxy authentication is enabled. Gitea patched the issue in version 1.26.3 by removing the wildcard and making reverse-proxy authentication opt-in, and Sysdig observed initial exploitation attempts shortly after disclosure.
read more β†’

Max-severity Adobe ColdFusion flaw being actively exploited

πŸ”§ Adobe has issued emergency updates to fix a maximum-severity ColdFusion vulnerability (CVE-2026-48282) that is now being actively exploited, the Canadian Center for Cyber Security (CCCS) warned. The flaw affects ColdFusion 2025.9, 2023.20, and earlier, enabling unauthenticated remote code execution on unpatched systems. Adobe urges administrators to install the patch immediately, and Shadowserver reports nearly 800 exposed ColdFusion instances online.
read more β†’

AI agent conducts autonomous ransomware intrusion

πŸ” Sysdig researchers detailed an autonomous AI agent, dubbed JadePuffer, that executed an end-to-end intrusion and extortion campaign after exploiting a vulnerable Langflow server. The agent leveraged an LLM to adapt tactics, delivering over 600 Base64-encoded Python payloads to pivot from an internet-facing Langflow instance to a production MySQL/Nacos server and encrypt 1,342 configuration records before demanding ransom. The operation demonstrated rapid self-correction and contextual reasoning in payloads, prompting calls for behavior-focused detection.
read more β†’

LLM-Driven Ransomware JadePuffer Targets Langflow

πŸ”’ Sysdig reports a novel ransomware campaign, dubbed JadePuffer, driven entirely by a large language model agent that exploited CVE-2025-3248 in an internet-facing Langflow instance. The automated attack conducted reconnaissance, credential harvesting, lateral movement, and destructive actions against production databases, encrypting and deleting Nacos configurations so they could not be recovered. Sysdig highlights automation of old vulnerabilities, agent narration that may aid detection, and the erosion of response time for defenders.
read more β†’

Armored Likho targets governments and utilities

πŸ›‘οΈ Kaspersky attributes a newly documented threat actor, Armored Likho, to espionage and financially motivated campaigns against government agencies and the electric power sector in Russia, Brazil, and Kazakhstan. The group's toolkit includes obfuscated Python stealers (BusySnake), modular RATs, Go2Tunnel for reverse SSH, and droppers delivered via spear-phishing or weaponized LNK files exploiting CVE-2025-9491. The malware emphasizes persistence, credential theft, and dynamic module delivery tailored to victims.
read more β†’

Citrix NetScaler memory overread patched, exploits spotted

πŸ”’ Citrix patched a new NetScaler memory overread, CVE-2026-8451, similar to prior CitrixBleed issues; researchers from watchTowr disclosed that malformed unauthenticated requests can leak protected process memory. While this flaw leaks smaller data fragments than earlier CitrixBleed faults, it still poses risk for chaining with memory-write exploits. Citrix also fixed additional high-severity memory overflows and an HTTP/2 DoS; customers are urged to upgrade and apply configuration mitigations.
read more β†’

Yarbo robot mower backdoor exposes devices

πŸ› οΈ Independent researcher Andreas Makris discovered a universal hardcoded root password and permanent remote-access mechanism in Yarbo robotic mowers that allowed him to control thousands of units remotely. He demonstrated the flaw by hijacking a mower in the U.S. from Germany, showing how attackers could steer the machine, access cameras, and extract owner data. Yarbo has issued updates and plans to make remote access opt-in, but owners should install patches and follow basic IoT security hygiene.
read more β†’

CISA Adds SharePoint RCE CVE-2026-45659 to KEV Catalog

πŸ”’ CISA has added a high-severity SharePoint Server vulnerability, CVE-2026-45659 (CVSS 8.8), to its Known Exploited Vulnerabilities catalog following evidence of active exploitation. Microsoft patched the deserialization-based remote code execution flaw in May 2026 for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. The issue can be triggered by any authenticated attacker with as little as Site Member permissions and does not require elevated privileges. Federal agencies are advised to apply updates by July 4, 2026, while Microsoft assesses public exploitation as "Exploitation Less Likely."
read more β†’

Unpatched Argo CD repo-server flaw risks code execution

πŸ”’ Synacktiv disclosed an unpatched vulnerability in Argo CD's repo-server that allows unauthenticated attackers to execute arbitrary commands if they can reach the component's internal gRPC port. The flaw abuses kustomize's --helm-command option to run attacker-controlled scripts, demonstrated against Argo CD v2.13.3, and can lead to full cluster takeover by leveraging exposed Redis credentials. There is no fixed release or CVE; operators must enable Kubernetes network policies to isolate repo-server and Redis until a patch is available.
read more β†’

Over 900 Oracle E-Business instances exposed online

πŸ”’ Over 900 Oracle E-Business Suite (EBS) instances were found exposed online amid active attacks exploiting a critical File Transmission flaw in Oracle Payments (CVE-2026-46817). The vulnerability permits unauthenticated HTTP takeover, and Oracle released patches in its May 2026 Critical Security Patch Update, urging immediate remediation. Threat intelligence firm Defused reported active exploitation observed on honeypots, while Shadowserver noted roughly 950 exposed instances and the extent of patching remains unclear.
read more β†’

CISA: BlueHammer bug now exploited by ransomware

πŸ›‘οΈ CISA confirms ransomware actors are exploiting the high-severity Microsoft Defender privilege escalation flaw dubbed BlueHammer (CVE-2026-33825). The bug was leaked with proof-of-concept code by researcher "Nightmare Eclipse" in April and later patched by Microsoft on April 14. CISA added the flaw to its KEV Catalog and ordered federal agencies to patch, and has now flagged it as used in ransomware campaigns.
read more β†’

Critical Progress Kemp LoadMaster API RCE Patch

πŸ›‘οΈ A critical vulnerability in Progress Kemp LoadMaster allows unauthenticated attackers to execute arbitrary commands as root by sending a crafted request to the appliance API. Tracked as CVE-2026-8037 with a ZDI CVSS of 9.8, Progress published an advisory on June 4 and released patches (GA v7.2.63.2 and LTSF v7.2.54.18). Researchers at watchTowr Labs published a technical write-up and proof-of-concept on June 29; administrators should update immediately if the API is enabled.
read more β†’

Critical Oracle E‑Business Suite Flaw Actively Exploited

πŸ”’ A critical authentication and privilege-management vulnerability, tracked as CVE-2026-46817 (CVSS 9.8), affects Oracle Payments in E‑Business Suite versions 12.2.3 through 12.2.15 and has been observed under active exploitation. Patches were released in Oracle's last Critical Security Patch Update, but Defused Cyber reported exploitation against their honeypots and noted no prior public PoC. Details about the attack method, attribution, and campaign scope remain unknown, while experts urge rapid incident response and patching.
read more β†’