All news with #active exploitation tag

⚡ This week's recap covers supply-chain compromises, resurfacing legacy bugs, and security tools themselves being targeted. Key incidents include a poisoned Nx Console VS Code extension leading to a GitHub breach, new active exploitation of Microsoft Defender flaws, and a nine-year-old Linux kernel privilege bug. Teams face increasing targeted phishing and widespread botnet scanning, while organizations scramble to patch critical CVEs and secure exposed services.

🔐 A critical vulnerability, CVE-2026-48172 (CVSS 10.0), in the LiteSpeed User-End cPanel Plugin allows privilege escalation via the lsws.redisAble function, enabling arbitrary scripts to run as root. The flaw affects plugin versions 2.3 through 2.4.4 and is being actively exploited; LiteSpeed fixed it in v2.4.5 and later bundled releases. Administrators are urged to upgrade to cPanel plugin v2.4.7 (with WHM plugin v5.3.1.0) or uninstall the user-end plugin if immediate patching is not feasible.

🛡️ The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical SQL injection flaw in Drupal Core (CVE-2026-9082, CVSS 6.5) to its Known Exploited Vulnerabilities list after evidence of active exploitation. The vulnerability affects all supported Drupal Core versions and could enable privilege escalation and remote code execution via crafted requests using the database abstraction API. Patches were released across multiple 8.x–11.x branches, with manual patches required for Drupal 9.5 and 8.9.

🛡️ Trend Micro disclosed a zero-day in its Apex One on-premises server (CVE-2026-34926), a directory traversal flaw that can let a local attacker with administrative access inject malicious code to be deployed to agents. The vendor noted the bug is restricted to on-prem installations and requires prior admin credentials, but observed at least one attempted exploitation in the wild. CISA added the vulnerability to its actively exploited list and ordered federal agencies to patch by June 4, while Trend Micro also released fixes for seven related SEP agent privilege escalation issues.

🔒 Drupal has warned administrators that a "highly critical" SQL injection vulnerability, tracked as CVE-2026-9082, is being actively targeted in the wild. Discovered by Google/Mandiant researcher Michael Maturi, the flaw affects Drupal's database abstraction API and allows specially crafted requests to trigger arbitrary SQL injection on sites using PostgreSQL. Exploitation requires no authentication and can lead to remote code execution, privilege escalation, and data disclosure; Drupal has released updates and urges immediate patching.

🔒 Microsoft disclosed two Microsoft Defender vulnerabilities under active exploitation: CVE-2026-41091, a local privilege escalation rated 7.8 that can allow an attacker to gain SYSTEM privileges via improper link resolution, and CVE-2026-45498, a denial-of-service issue rated 4.0. Both are addressed in Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7. Systems with Defender disabled are not affected; updates are applied automatically through malware definitions and the Microsoft Malware Protection Engine.

🔒 ReliaQuest observed attackers brute-forcing credentials and bypassing MFA on SonicWall Gen6 SSL‑VPN appliances by exploiting CVE-2024-12802, allowing rapid internal access and attempts to deploy Cobalt Strike and a vulnerable driver. SonicWall warns that installing the firmware update alone on Gen6 devices does not fully mitigate the flaw; administrators must manually reconfigure LDAP settings to restore MFA enforcement. Gen7/Gen8 devices are fully remediated by firmware updates.

🔒 ESET researchers report that the China-aligned APT group Webworm expanded operations in 2025 to target European government organizations in Belgium, Italy, Poland, Serbia and Spain, and also compromised a university in South Africa. Analysis presented at ESET World on 19 May by Robert Lipovsky described the campaign as largely semi-opportunistic, with some cases linked to legacy vulnerabilities such as a discontinued SquirrelMail flaw. The group introduced two new backdoors — Discord-based EchoCreep and Microsoft Graph-based GraphWorm — and continues to use a complex set of proxy tools and cloud-based data exfiltration techniques.

🔒 GitHub confirmed that roughly 3,800 internal repositories were breached after an employee installed a trojanized VS Code extension; the company removed the malicious version from the Marketplace and isolated the compromised device. It says its current assessment indicates exfiltration was limited to GitHub-internal repositories and that it has found no evidence so far of customer data outside the affected repos being impacted. The incident is under active investigation while GitHub continues incident response.

⚠️ A max-severity flaw (CVE-2026-45829) in the Python FastAPI server of ChromaDB allows unauthenticated attackers to load and execute remote models before authentication is enforced, enabling arbitrary code execution on exposed servers. The issue impacts PyPI-distributed releases used widely in AI retrieval stacks; a 1.5.9 release exists but it is unclear if the fix addresses this vulnerability. Mitigations include using the Rust frontend, avoiding public exposure of the Python API, and restricting network access to the ChromaDB API port.

📈 Digital.ai's 2026 Application Security Threat Report found that 87% of monitored customer-facing apps were attacked in 2026, up sharply from 55% in 2022. The firm says agentic AI has lowered the skill and time required for threat actors to inspect code, generate exploits and adapt malware. Financial services, automotive and medical device apps were most targeted, and iOS attacks have nearly closed the gap with Android.

🔒 Security researchers from StepSecurity report that the popular GitHub Actions workflow actions-cool/issues-helper was hijacked by attackers who moved existing tags to imposter commits in an adversary-controlled fork. The malicious commit downloads the Bun JavaScript runtime, reads memory from the Runner.Worker process to harvest CI/CD credentials, and exfiltrates them to an attacker-controlled domain. A second action, actions-cool/maintain-one-comment, had 15 tags similarly altered. GitHub has disabled repository access and only workflows pinned to full commit SHAs remain unaffected.

⚠️A new zero-day called YellowKey, published this week by a researcher using the alias Nightmare-Eclipse, demonstrates a reliable bypass of default Windows 11 BitLocker deployments. The exploit circumvents disk encryption that relies solely on the TPM-stored key and requires physical access to the affected machine. Organizations that mandate BitLocker, including government contractors, should reassess device physical security and BitLocker configuration.

⚠️ A high-severity heap buffer overflow (CVE-2026-42945, CVSS 9.2) in the ngx_http_rewrite_module of NGINX Plus and NGINX Open (versions 0.6.27–1.30.0) is being exploited in the wild shortly after disclosure. The flaw, reportedly introduced in 2008, can allow unauthenticated attackers to crash worker processes or, when Address Space Layout Randomization (ASLR) is disabled and certain configurations are present, achieve remote code execution. Users are advised to apply F5's fixes and review server configurations urgently.

⚠️A critical vulnerability in the Funnel Builder WordPress plugin (affecting versions before 3.15.0.3) is being actively exploited to inject malicious JavaScript into WooCommerce checkout pages. Sansec reports attackers are planting fake Google Tag Manager-like scripts in the plugin's External Scripts setting to load payment skimmers. FunnelKit released a patch in v3.15.0.3; site owners should update immediately and inspect checkout scripts.

⚠️ A critical, unauthenticated vulnerability in the Funnel Builder WordPress plugin (versions before 3.15.0.3) is being actively exploited to inject malicious JavaScript into WooCommerce checkout pages. Attackers modify the plugin’s global settings via an exposed checkout endpoint to add a fake analytics script that opens a WebSocket and delivers a payment card skimmer. The injected skimmer harvests card numbers, CVVs, billing details and other customer data; site owners should update to 3.15.0.3 and inspect External Scripts.

⚠ Cisco has disclosed a maximum-severity authentication bypass in its Catalyst SD-WAN Controller and Catalyst SD-WAN Manager platforms that has been observed exploited in the wild. The flaw lets unauthenticated remote actors craft control-connection requests to bypass peer authentication and gain administrative privileges. Cisco has released updates and urges immediate patching because no workarounds exist. The issue is tracked as CVE-2026-20182 with a CVSS score of 10.0 and was added to CISA’s KEV list.

⚠️ Microsoft disclosed a new actively exploited vulnerability, CVE-2026-42897 (CVSS 8.1), a spoofing bug caused by cross-site scripting in on-premises Exchange Server. An attacker can execute arbitrary JavaScript by sending a crafted email that is opened in Outlook Web Access. Microsoft offers a temporary mitigation via the Exchange Emergency Mitigation Service (enabled by default) and provides an EOMT PowerShell script for environments that cannot use the service; Exchange Online is not affected.

🔒 CISA has added CVE-2026-20182, a critical authentication bypass in Cisco Catalyst SD-WAN Controller, to its Known Exploited Vulnerabilities catalog and requires Federal Civilian Executive Branch agencies to remediate by May 17, 2026. The flaw is rated 10.0 (CVSS) and allows an unauthenticated remote attacker to obtain administrative privileges. Cisco links active exploitation to threat cluster UAT-8616 and advises customers to follow its advisories and mitigation guidance.

🔒 Wordfence disclosed a critical authentication bypass in the Burst Statistics WordPress plugin (CVE-2026-8181) that lets unauthenticated actors impersonate admin users via REST API requests and even create rogue admin accounts. The flaw, introduced in versions 3.4.0 and 3.4.1, misinterprets wp_authenticate_application_password() return values, treating errors or null as successful authentication. Users should upgrade to 3.4.2 or disable the plugin immediately.