All news with #active exploitation tag

⚠️The MAXHUB Pivot client (versions prior to v1.36.2) contains a vulnerability (CVE-2026-6411) that can expose tenant email addresses and related metadata in cleartext due to a hardcoded AES key embedded in the application. An attacker who obtains the encrypted data can decrypt it, and the product's MQTT enrollment mechanism may be abused to register multiple unauthorized devices, potentially causing denial of service. MAXHUB released v1.36.2 via OTA; update immediately.

🔒 Palo Alto Networks warned of a critical buffer overflow in PAN-OS affecting the User-ID Authentication Portal (CVE-2026-0300) that can allow unauthenticated attackers to execute code as root on exposed PA- and VM-Series firewalls. The vendor says only portals reachable from untrusted IPs are at risk; Prisma Access, Cloud NGFW and Panorama are not impacted. Customers are advised to restrict portal access, disable the Captive Portal if unused, disable Response Pages on untrusted interfaces, and apply mitigations until patched builds roll out in May.

⚠️ Palo Alto Networks has warned of a critical buffer overflow (CVE-2026-0300) in the User-ID Authentication Portal component of PAN-OS, allowing unauthenticated remote code execution as root. The flaw carries a CVSS of 9.3 when the portal is internet-accessible (8.7 for internal-only access). Palo Alto reports limited in-the-wild exploitation targeting publicly accessible portals; fixes are scheduled to begin May 13, 2026. Administrators should restrict or disable the portal until patches are applied.

⚠️ DAEMON Tools installers hosted on the official site were trojanized beginning April 8, delivering a backdoor to thousands of systems worldwide. Compromised, digitally signed installers (versions 12.5.0.2421–12.5.0.2434) contained malicious code in binaries such as DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. The initial payload is an information stealer used to profile victims; select hosts received a lightweight second-stage backdoor capable of executing commands and loading code in memory. In at least one targeted case researchers observed deployment of a more advanced QUIC RAT, and Kaspersky warns the campaign evaded detection for nearly a month.

🔴 A 23-year-old university student in Taiwan was arrested after allegedly interfering with the country's TETRA-based communications for the Taiwan High Speed Rail (THSR). Authorities say he used SDR equipment and handheld radios to transmit a high-priority 'General Alarm' on April 5, forcing emergency brakes and halting four trains for 48 minutes. Investigators found decoded radio parameters and an accomplice who supplied critical THSR settings. Equipment including 11 radios, an SDR and a laptop were seized; the suspect faces criminal charges and was released on NT$100,000 bail.

🛡️ Kaspersky has identified a supply-chain compromise that trojanized installers for DAEMON Tools, distributed from the vendor’s official site and signed with developer certificates. The affected builds (12.5.0.2421–12.5.0.2434) have been backdoored since April 8, 2026, with three core binaries modified to deploy an implant. The implant contacts an observed C2 domain (env-check.daemontools.cc) to receive shell commands that download and execute follow-on payloads, including a .NET collector and a loader/backdoor pair. Kaspersky observed thousands of initial infection attempts worldwide while more advanced payloads were selectively delivered to a small number of targets in Russia, Belarus, and Thailand; AVB Disc Soft has been notified.

⚠️ New findings from VulnCheck and the NVD confirm that MetInfo CMS versions 7.9, 8.0 and 8.1 contain an unauthenticated PHP code injection vulnerability (CVE-2026-29014, CVSS 9.8) that allows remote attackers to execute arbitrary code. The defect is located in /app/system/weixin/include/class/weixinreply.class.php and results from insufficient sanitization of Weixin API inputs. On non‑Windows hosts a preexisting /cache/weixin/ directory (created by the official WeChat plugin) is required for exploitation. MetInfo released patches on April 7, 2026, but active exploitation was observed beginning April 25 and escalated on May 1, with most activity originating from China and Hong Kong IPs.

⚠️ A critical unauthenticated remote code execution flaw (CVE-2026-22679, CVSS 9.8) in Weaver (Fanwei) E-cology 10.0 (prior to 20260312) is being actively exploited in the wild. The vulnerability exists in the /papi/esearch/data/devops/dubboApi/debug/method endpoint, where attacker-controlled parameters can invoke command-execution helpers. Weaver released patches on 2026-03-12; administrators should apply those updates, restrict access to debug/management endpoints, and use published detection scripts to hunt for exposed or compromised instances.

🚨This week’s telemetry shows attackers moving from quick breaches to persistent occupation across SaaS, CI/CD and hosting panels. CVE-2026-41940 in cPanel/WHM and the Linux Copy Fail bug (CVE-2026-31431) are being actively exploited alongside supply-chain compromises that weaponize developer pipelines. Social engineering — including vishing that bypasses MFA — and AI-assisted phishing kits are scaling attacks. Prioritize urgent CVEs, rotate pipeline credentials, and treat sessions and routine pipeline runs as potentially hostile.

🔒CISA warns that threat actors are actively exploiting the Linux "Copy Fail" vulnerability tracked as CVE-2026-31431. The flaw exists in the kernel's algif_aead cryptographic algorithm interface and lets unprivileged local users gain root by writing four controlled bytes to the page cache of any readable file. Theori published a "100% reliable" Python PoC; vendors are issuing kernel fixes and CISA has ordered federal patches under BOD 22-01.

🔒 A previously unknown actor exploited CVE-2026-41940, a critical authentication-bypass in cPanel/WHM, to target government and military domains in Southeast Asia and a smaller cluster of MSPs and hosting providers worldwide. The activity, observed by Ctrl-Alt-Intel on May 2, 2026, originated from IP 95.111.250[.]175 and used public proof-of-concepts alongside a separate custom exploit chain against an Indonesian defense portal. The attacker abused hard-coded credentials and a CAPTCHA bypass to perform authenticated SQL injection and RCE, then deployed AdapdixC2, OpenVPN, Ligolo and systemd-based persistence to pivot and exfiltrate sensitive documents. Researchers report rapid, widespread weaponization of the vulnerability by multiple third parties, including Mirai variants and a ransomware strain.

🛡️ The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently disclosed Linux kernel vulnerability, CVE-2026-31431, to its Known Exploited Vulnerabilities (KEV) catalog following evidence of in-the-wild activity. The privilege escalation bug, nicknamed Copy Fail, affects kernels shipped since 2017 and carries a CVSS score of 7.8; patches are available in kernel releases 6.18.22, 6.19.12, and 7.0. Security vendors warn the flaw is especially dangerous for containerized environments when the algif_aead module is exposed on hosts, and detecting exploitation is difficult because the exploit uses legitimate system calls.

🚨 An emergency update for cPanel and WHM addresses a critical authentication bypass (CVE-2026-41940) that has been actively exploited to access control panels. Security researchers report attackers have breached thousands of servers and deployed a Go-based Linux encryptor tied to the "Sorry" ransomware, which appends the .sorry extension. The encryptor uses ChaCha20 for file encryption with the symmetric key protected by an embedded RSA-2048 public key, and victims receive a README.md ransom note directing contact via a fixed Tox ID. Administrators should install the update and verify backups immediately.

🛡️ Microsoft Defender Security Research warns of CVE-2026-31431, known as 'Copy Fail', a high-severity local privilege escalation in the Linux kernel crypto subsystem that impacts many major distributions and cloud workloads. An unprivileged user can abuse AF_ALG and splice() to corrupt the page cache and deterministically escalate to root, enabling container escape and multi-tenant compromise. Apply vendor patches or block AF_ALG socket creation immediately and hunt for indicators of compromise.

⚠️ Microsoft and CISA have warned that a Windows shell spoofing vulnerability (CVE-2026-32202) is being actively exploited and has prompted a CISA directive requiring federal agencies to patch by May 12. Microsoft says exploitation can expose sensitive data though it does not allow full system takeover. Security experts caution the situation was aggravated by an incomplete earlier fix for CVE-2026-21510, creating a patch gap between vendor updates and organizational deployment. CISOs face a difficult balance between rapid remediation and careful testing to avoid service disruption, and are urged to apply interim mitigations where possible.

⚠ An exploit for a local privilege escalation called Copy Fail (CVE-2026-31431) has been published, allowing unprivileged users to obtain root on Linux kernels released since 2017. The issue was discovered by Theori using its Xint Code AI pentesting platform, reported on March 23, and patched upstream in early April by reverting an in-place crypto optimization. Researchers published a compact Python PoC that they demonstrated against multiple distributions and recommend disabling the algif_aead interface as an interim mitigation while vendors distribute kernel updates.

⚠️ ABB disclosed CVE-2025-3756, a vulnerability in its IEC 61850 MMS client stack that can be triggered by a specially crafted 61850 packet. Exploitation requires access to the IEC 61850 network and can force PM 877, CI850, and CI868 modules into a fault state requiring manual restart or repeatedly crash S+ Operations IEC 61850 connectivity, causing denial-of-service. System 800xA IEC61850 Connect is not affected. ABB has released or scheduled firmware updates and advises customers to apply fixes and follow mitigating guidance.

⚠️ CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities Catalog for a missing authentication for critical function in WebPros cPanel & WHM and WP2 (WordPress Squared). The issue has evidence of active exploitation and represents a common attack vector that can enable unauthorized access to protected functionality. Under BOD 22-01 federal agencies are required to remediate affected systems by the specified due date; CISA strongly urges all organizations to prioritize patching, apply vendor updates, and implement compensating controls promptly.

🔒 CVE-2026-41940 is a critical authentication-bypass affecting cPanel, WHM, and WP Squared that has been actively exploited in the wild. The flaw stems from a CRLF injection in login and session-loading where unsanitized Authorization header data is written into server-side session files before authentication, enabling bypass. Patches released April 28 cover multiple 11.x release lines and vendors published detection scripts; short-term mitigations include blocking management ports (2083/2087/2095/2096) or stopping cpsrvd and cpdavd.

🔒 Security researchers Xint.io and Theori disclosed a high-severity Linux local privilege escalation tracked as CVE-2026-31431 and dubbed Copy Fail, which lets an unprivileged user write four controlled bytes into the page cache of any readable file to gain root. The defect stems from a logic flaw in the kernel cryptographic algif_aead module introduced in 2017. A compact 732‑byte Python exploit can inject shellcode into a setuid binary such as /usr/bin/su and spawn a root shell, and major distributions have issued advisories.