All news with #active exploitation tag

⚠ Cisco warns of an actively exploited authentication bypass in Cisco Catalyst SD-WAN Controller (CVE-2026-20182) rated 10.0, affecting on-premises and SD-WAN Cloud Manager deployments. The vulnerability stems from a peering authentication mechanism that "is not working properly" and can grant high-privileged, non-root administrative access and NETCONF control. Cisco detected exploitation in May, released security updates as the only full remediation, and advises restricting management-plane access and reviewing peering and auth logs for IOCs.

🔒 Cisco has released fixes for a maximum-severity authentication bypass in Cisco Catalyst SD-WAN Controller (CVE-2026-20182) that it says has been exploited in limited attacks. The flaw allows a remote unauthenticated attacker to become an authenticated peer and obtain administrative privileges by abusing the peering authentication mechanism. Affected deployments include On-Prem, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP); Cisco urges immediate patching and recommends auditing /var/log/auth.log for suspicious peering or publickey entries.

🔥 Palo Alto released fixes for CVE-2026-0300, a critical PAN-OS buffer-overflow exploited in the wild to drop payloads like EarthWorm and ReverseSocks5. The bulletin also highlights new and recurring threats including zero-auth API data leaks at an AI training vendor, an FCC extension for router updates, supply-chain contests, and sophisticated phishing campaigns. Several incidents employ weaponized attachments, tokenizer tampering in AI models, and open-source tools to achieve stealthy remote access and long-term persistence.

🔔 Talos reports active, in-the-wild exploitation of multiple Cisco Catalyst SD‑WAN vulnerabilities, including CVE-2026-20182 and a chained set (CVE-2026-20133, CVE-2026-20128, CVE-2026-20122) that enable unauthorized access, persistent webshell deployment, and privilege escalation. The threat cluster UAT-8616 and other adversaries have deployed JSP webshells such as XenShell, Godzilla, and Behinder and have installed miners, C2 implants, and reconnaissance and tunneling tools post-compromise. Customers should urgently apply Cisco updates, follow Talos detection guidance and Snort/ClamAV signatures, and engage TAC for incident support and remediation.

⚠️ CISA added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog on 2026-05-14 after confirming active exploitation. The agency warns that such vulnerabilities are common attack vectors and present significant risk to the federal enterprise. CISA directs organizations to follow Emergency Directive 26-03 and BOD 22-01 guidance, assess exposure, and apply mitigations or discontinue affected Cisco SD-WAN products if mitigations are not available.

🔒 PraisonAI contained a critical authentication bypass (CVE-2026-44338) in its legacy Flask API server that sets AUTH_ENABLED = False and AUTH_TOKEN = None by default. Exploitation allows unauthenticated callers to enumerate configured agents via /agents and to trigger workflows through /chat, potentially consuming model quotas and exposing run results. The flaw affects versions 2.5.6–4.6.33 and was fixed in v4.6.34; operators are advised to update, audit deployments, and rotate exposed credentials.

🔍 Sysdig reported that a newly disclosed authentication bypass in the open-source orchestration framework PraisonAI was probed by internet scanners about 3 hours and 44 minutes after a GitHub advisory published on May 11. The flaw stems from a legacy Flask API server that ships with authentication disabled by default, affecting versions 2.5.6 through 4.6.33 and fixed in 4.6.34. Researchers urge immediate upgrades and monitoring for the “CVE-Detector/1.0” user-agent and suspicious /api/agents and related paths.

⚠️ Two newly disclosed flaws in the Avada Builder WordPress plugin place roughly one million sites at risk of arbitrary file read (CVE-2026-4782, CVSS 6.5) and unauthenticated time-based SQL injection (CVE-2026-4798, CVSS 7.5). The issues were reported to Wordfence in March and fixed in 3.15.2 and fully resolved in 3.15.3. Site owners are urged to update immediately and audit subscriber accounts and wp-config.php for signs of compromise.

🔒 CISA published an advisory describing a privilege-escalation vulnerability in Fuji Electric Tellus arising from a kernel driver that grants all users read and write permissions. Successful exploitation could elevate a user to system privileges and may enable temporary denial of service, file opening, or file deletion. The vendor recommends installing Tellus only with administrator privileges; CISA notes the issue is not remotely exploitable and no public exploitation has been reported. CISA advises implementing ICS defensive measures and following established reporting procedures.

⚠ ABB reports a stack-based buffer overflow in AC500 V3 when parsing CMS (Auth)EnvelopedData with AEAD ciphers like AES-GCM. An oversized IV in ASN.1 parameters may be copied into a fixed-size stack buffer without length checks, allowing an out-of-bounds write before authentication. This can cause crashes, DoS, or potential RCE. ABB issued firmware 3.9.0 HF1 to correct the issue; no workaround exists.

⚠ copy.fail is a severe Linux kernel local privilege escalation disclosed on 29 April 2026 with a working proof-of-concept. It abuses the kernel crypto API (AF_ALG sockets) together with splice() to write four bytes at a time directly into the page cache of files the attacker does not own, leaving on-disk files unchanged. The exploit works unmodified across Ubuntu, RHEL, Debian, SUSE, Amazon Linux and Fedora, bypasses checksum-based monitoring, and has no race or per-distro offsets; the mainline fix landed on 1 April and distros are rolling patches.

🔒 A recently disclosed cPanel vulnerability, tracked as CVE-2026-41940, is being exploited at scale to deploy backdoors, plant SSH keys, steal credentials, and compromise hosting systems. Researchers at XLab link much of the activity to a long-running group called Mr_Rot13, with automated scans from over 2,000 attacker IPs observed after the late-April disclosure. The incident highlights weak visibility into hosting control planes and urges organizations to treat exposed control panels as high-priority incidents: patch immediately, rotate credentials, hunt for webshells, and review logs for persistence.

🔒 Checkmarx confirmed a modified Jenkins AST plugin was published to the Jenkins Marketplace after attackers used stolen credentials to push malicious code. The company released v2.0.13-848.v76e89de8a_053 on GitHub and the Marketplace and says this release addresses the incident. It advised users to ensure they run 2.0.13-829.vc72453fa_1c16 (published Dec 17, 2025) or later. Researchers attribute the activity to TeamPCP.

⚠ The official JDownloader website was compromised between May 6 and May 7, 2026, and attackers replaced alternative Windows and Linux installers with malicious payloads. The Windows binaries deploy a heavily obfuscated Python-based remote access trojan, while the Linux shell installer installs SUID-root components and persistence. Developers say the CMS was abused to alter download links without host-level access and have taken the site offline to investigate. Users who ran affected installers should treat systems as compromised, verify installers' digital signatures (AppWork GmbH) and consider reinstalling and rotating credentials.

🔐 Ivanti disclosed five vulnerabilities in its on‑premises Endpoint Manager Mobile (EPMM) suite, and one—CVE-2026-6973—has been added to CISA’s Known Exploited Vulnerabilities Catalog due to active exploitation. Updated EPMM releases resolving the issues are available and administrators are urged to apply patches and rotate administrative credentials immediately. The defects include improper input validation, access control failures, and certificate validation errors, and Ivanti says it is using AI tools to help identify additional vulnerabilities. Organizations should also review enrollment settings such as Apple Device Enrollment and assess whether legacy on‑premises MDM fits a Zero Trust model.

🔔 CISA added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-42208, a SQL injection affecting BerriAI LiteLLM. The agency cites evidence of active exploitation and notes that SQLi remains a common, high-risk vector. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV-listed flaws by their due dates. CISA urges all organizations to prioritize timely remediation as part of routine vulnerability management.

⚠️ Palo Alto Networks has confirmed a critical zero-day in PAN-OS's Captive Portal (CVE-2026-0300) that allows unauthenticated remote code execution as root on exposed PA and VM series firewalls. Reporting indicates suspected state-sponsored actors exploited the flaw for nearly a month. Palo Alto plans updates beginning May 13; customers should restrict or disable the portal until patches are available.

🛡️ Ivanti warns of a high-severity flaw, CVE-2026-6973 (CVSS 7.2), in Endpoint Manager Mobile (EPMM) that has been observed in limited active exploitation and permits remote code execution for remotely authenticated users with administrative access. The issue affects on-premises EPMM versions before 12.6.1.1, 12.7.0.1, and 12.8.0.1 and was released alongside patches for four additional vulnerabilities. CISA added CVE-2026-6973 to its KEV catalog with a May 10, 2026 remediation deadline; Ivanti advises applying updates and rotating credentials as appropriate.

⚠️ Palo Alto Networks disclosed that threat actors attempted and later succeeded in exploiting a critical buffer overflow, CVE-2026-0300, in the PAN-OS User-ID Authentication Portal, enabling unauthenticated remote code execution as root. Unit 42 linked activity to a suspected state-sponsored cluster tracked as CL-STA-1132, noting shellcode was injected into an nginx worker. Customers are advised to restrict access to trusted zones or disable the portal if unused, and to apply fixes expected to begin rolling out on May 13, 2026.

🔔 CISA has added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-6973, an Ivanti Endpoint Manager Mobile (EPMM) improper input validation flaw. CISA cites evidence of active exploitation and emphasizes the significant risk this class of vulnerability poses to the federal enterprise. The agency reminds FCEB agencies of remediation requirements under BOD 22-01 and strongly urges all organizations to prioritize timely fixes.