< ciso
brief />
Tag Banner

All news with #active exploitation tag

684 articles · page 2 of 35

Critical PTC Windchill PLM Flaw Under Active Exploitation

🛡️ Hackers are exploiting a critical unsafe deserialization vulnerability in PTC Windchill and FlexPLM that enables remote code execution. The flaw, tracked as CVE-2026-12569 and scored 9.3 CVSS, affects the Windchill PDMLink web component. PTC issued mitigations and patches on June 17–19 and provided indicators of compromise after reports of web shell deployment. CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog.
read more →

CISA orders urgent patches for exploited Cisco and PLM flaws

🔔 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has set a June 28 deadline under BOD 26-04 for federal agencies to patch a critical Cisco Unified Communications Manager Server SSRF vulnerability, CVE-2026-20230, which is being actively exploited. Cisco released a patch on June 3 and labeled the issue critical after a proof-of-concept existed; subsequent reports showed active attacks writing arbitrary files. CISA also added a critical RCE flaw, CVE-2026-12569, affecting PTC Windchill and FlexPLM products to its Known Exploited Vulnerabilities list, requiring immediate remediation.
read more →

Linux pedit COW exploit lets local users gain root

⚠️ A critical memory-corruption bug in the Linux traffic-control subsystem (CVE-2026-46331, “pedit COW”) enables a local unprivileged user to gain root by corrupting shared page-cache memory. The flaw allows modification of a cached setuid binary image in memory without touching the on-disk file; a public exploit appeared within a day of CVE assignment. The exploit requires the act_pedit module be loadable and unprivileged user namespaces enabled; affected vendors have issued patches and mitigations.
read more →

CISA Adds PTC Windchill RCE to KEV Catalog

🔒 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical RCE vulnerability affecting PTC Windchill PDMlink and PTC FlexPLM to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. The flaw, tracked as CVE-2026-12569 with a CVSS score of 9.3, allows arbitrary code execution via improper input validation and deserialization of untrusted data. Patches were released last week, but PTC warns of ongoing attacks deploying JSP web shells and published IoCs and mitigations.
read more →

Threat Actor Exploited Cisco SD‑WAN Zero‑Day

🔒 A Google (Mandiant) report warns that a threat actor exploited a severe Cisco SD‑WAN vulnerability (CVE-2026-20245) at least two months before disclosure. The flaw, a high-severity (CVSS 7.8) privilege escalation in the CLI of Cisco Catalyst SD-WAN Controller, allowed authenticated local attackers to upload crafted files and execute commands as root. Cisco disclosed the issue on June 4 and began releasing fixes on June 10, while Mandiant detailed related unauthorized peering and credential-theft activity stretching back to late 2025.
read more →

DraftKings hacker 'Snoopy' sentenced to 18 months

🔒 A 21-year-old known as "Snoopy" was sentenced to 18 months in prison after pleading guilty to conspiracy to commit computer intrusion for his role in the November 2022 DraftKings account takeover. The attacker and co-conspirators compromised roughly 60,000 user accounts, added payment methods to 1,600 accounts, and stole $600,000. Authorities linked the scheme to online marketplaces and seller shops that trafficked access to stolen accounts.
read more →

Cisco Unified CM SSRF Flaw Now Being Exploited

🛡️ Threat actors are actively exploiting a critical vulnerability in Cisco Unified Communications Manager and its SME edition, tracked as CVE-2026-20230 (CVSS 8.6). The flaw stems from improper input validation in handling specific HTTP requests, enabling unauthenticated SSRF and arbitrary file writes that could lead to root escalation. Exploitation requires the WebDialer service to be enabled (disabled by default); Cisco has released patches in 14SU6 and 15SU5 and recommends disabling WebDialer if immediate patching is not possible.
read more →

Weekly Recap: Browser Bugs, EDR Killers, FortiBleed

📰 This week’s recap highlights recurring attack patterns: abused integrations, poisoned websites, fake tools, and ransomware groups disabling security products. Notable incidents include the large-scale FortiBleed campaign compromising FortiGate devices, the Gentlemen RaaS developing the GentleKiller EDR-killing suite, and active exploitation of a critical Splunk flaw. Mobile and crypto-related malware campaigns also featured prominently.
read more →

AryStinger malware converts legacy routers into relays

🔍 QiAnXin XLab has identified a new malware family named AryStinger that has infected at least 4,300 legacy home routers, turning them into a distributed reconnaissance and proxy network rather than a typical DDoS botnet. The campaign targets routers using Realtek RTL819X chips via old vulnerabilities (CVE-2013-3307, CVE-2016-5681) and favors D-Link DIR-850L units, with infections concentrated in South Korea and China. A second strain targeting QNAP NAS devices via CVE-2025-11837 was also observed; both builds support scanning, tunneling, and remote task execution. Defenders are advised to check for C2 connections, suspicious binaries and processes, retire unsupported devices, and disable remote administration.
read more →

Gravity SMTP flaw exposes API keys and system data

🔒 A recently patched information disclosure flaw in the Gravity SMTP WordPress plugin (CVE-2026-4020) allows unauthenticated attackers to retrieve sensitive configuration data and API credentials via a misconfigured REST API endpoint. Wordfence observed exploit attempts beginning in May 2026 and blocking over 17 million requests, with activity spiking in early June. Site owners should update to version 2.1.5, rotate exposed credentials, and review logs for suspicious access from listed IPs.
read more →

CISA warns: Patch critical Splunk Enterprise flaw by Sunday

🔒 The U.S. CISA has ordered federal agencies to patch a critical Splunk Enterprise vulnerability (CVE-2026-20253) by Sunday after evidence of active exploitation. The flaw impacts Splunk Enterprise versions 10.2.0–10.2.3 and 10.0.0–10.0.6 and allows unauthenticated attackers to create or truncate arbitrary files via a PostgreSQL sidecar service endpoint. Splunk released patches and mitigation guidance, and Shadowserver has identified over 1,400 Internet-exposed Splunk instances that may be at risk.
read more →

CISA Adds One Vulnerability to KEV Catalog

🔔 CISA added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog after confirming active exploitation. The alert underscores that such vulnerabilities are frequent attack vectors and pose significant risks to the federal enterprise. BOD 26-04 requires Federal Civilian Executive Branch agencies to prioritize rapid remediation of high-risk KEV-listed CVEs on internet-exposed assets and to check for compromise before patching. CISA encourages all organizations to adopt risk-based vulnerability management and to submit candidate vulnerabilities via the KEV Nomination Form.
read more →

CISA urges hardening of Fortinet devices after breaches

🔒 CISA warns that malicious actors have targeted internet-accessible Fortinet devices using compromised credentials, a campaign dubbed FortiBleed affecting roughly 74,000 devices including firewalls and VPN gateways. The agency urges immediate actions such as terminating active SSL VPN and administrative sessions, resetting credentials, enforcing strong password policies, and ensuring secure credential storage using PBKDF2. Organizations should review logs for suspicious activity, enable phishing-resistant MFA for remote and administrative access, and restrict management interfaces from public internet exposure.
read more →

Operation Escaneo exposes Latin American intrusions

🔍 New research from CloudSEK reveals Operation Escaneo, a coordinated campaign targeting government and financial entities across Latin America after attackers left a staging server exposed. The group exploited internet-facing appliances and known vulnerabilities in Fortinet and Ivanti devices, plus Apache Tomcat, Windows, and Log4Shell flaws. Attackers used custom reconnaissance (Kimera), webshells, reverse tunnels and a compromised Cisco router to exfiltrate large volumes of sensitive data.
read more →

CISA directs urgent patch for JCE Joomla flaw

🛡️ The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch a maximum-severity vulnerability in the Widget Factory Joomla Content Editor (JCE) plugin, tracked as CVE-2026-48907, which is being actively exploited in the wild. The flaw allows unauthenticated attackers to upload and execute PHP code via new editor profiles in affected Joomla deployments. JCE released version 2.9.99.6 in early June and urged immediate updates, noting that updates do not remove existing compromises and outlining remediation steps for infected sites.
read more →

Mastra npm packages compromised in supply-chain attack

🛡️ Multiple npm packages under the @mastra/* namespace were mass-published with a malicious dependency on June 16–17, 2026, enabling a supply-chain campaign named easy-day-js. The injected library, easy-day-js, executes an obfuscated postinstall payload that downloads a second-stage trojan from attacker infrastructure and disables TLS validation. Victims should treat any systems that installed the affected versions as potentially compromised, roll back to safe releases, rotate secrets, and audit hosts for signs of the stealer.
read more →

CISA flags critical JCE Joomla flaw exploited

🔒 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a maximum-severity flaw in Widget Factory's Joomla Content Editor (JCE) to its Known Exploited Vulnerabilities catalog, citing active exploitation. Tracked as CVE-2026-48907 (CVSS 10.0), the improper access control bug allows unauthenticated creation of editor profiles and potential PHP code upload and execution. The flaw affects JCE versions 1.0.0 through 2.9.99.4 and was patched in 2.9.99.5 on June 3, 2026; FCEB agencies must apply fixes by June 19, 2026.
read more →

Google Vertex AI SDK bucket-squatting flaw patched

🛡️ Palo Alto Networks Unit 42 disclosed a flaw in the Google Cloud Vertex AI Python SDK that let an attacker with only their own Google Cloud project and a victim's project ID hijack model uploads and execute code in Vertex AI serving containers. Google fixed the issue; users must update to google-cloud-aiplatform version 1.148.0 or later and explicitly set a staging_bucket. The bug arose from predictable default bucket names and lack of ownership checks, enabling an attacker to precreate the bucket, swap uploaded model files (often pickled), and run malicious code when Vertex AI loaded the model.
read more →

CISA Adds One Vulnerability to KEV Catalog

🔔 CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog after confirming evidence of active exploitation. This vulnerability type remains a common attack vector and presents significant risk to the federal enterprise. BOD 26-04 reinforces rapid remediation of KEV-listed CVEs for federal agencies and updates prior guidance. CISA encourages all organizations to adopt risk-based vulnerability management and may add further vulnerabilities that meet KEV criteria.
read more →

China-linked group exploited REDCap to target research

🔒 Google warns that a China-associated threat actor, UNC6508, ran a prolonged espionage campaign targeting US and Canadian research environments by abusing legacy versions of REDCap. The attackers trojanized upgrade processes with modular malware called INFINITERED to achieve persistence, harvest credentials, and maintain a backdoor. GTIG recommends inspecting REDCap files, validating upgrades, and enforcing stronger authentication and DLP controls.
read more →