< ciso
brief />
Tag Banner

All news with #active exploitation tag

684 articles · page 3 of 35

CISA warns: actively exploited LiteSpeed cPanel flaw

⚠️ CISA has ordered federal agencies to secure servers against an actively exploited LiteSpeed cPanel user-end plugin flaw (CVE-2026-48172 / CVE-2026-54420) that can allow privilege escalation to root on shared hosting with CloudLinux/CageFS. The vulnerability affects plugin versions prior to 2.4.8 and stems from a UNIX symlink following weakness; LiteSpeed released urgent updates and provided a command to check for compromises. Agencies must comply with BOD 26-04 and remediate systems within three days per the Known Exploited Vulnerabilities Catalog.
read more →

Attackers Exploit Multiple Fortinet FortiSandbox Bugs

🔍 Threat intelligence firm Defused Cyber reports active exploitation of three high-severity Fortinet FortiSandbox vulnerabilities observed within 24 hours. The flaws — CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089 — are high-severity (CVSS 9.1) issues involving path traversal and OS command injection that can enable unauthenticated attackers to bypass authentication or execute commands. Fortinet issued patches for the first two in April 2026 and fixed the third last week; defenders are cautioned to apply updates promptly.
read more →

Critical FortiSandbox Vulnerabilities Actively Exploited

🛡️ Fortinet's FortiSandbox platform is being actively targeted by attackers exploiting multiple recently patched critical vulnerabilities. The flaws (CVE-2026-39813, CVE-2026-39808, CVE-2026-25089) enable unauthenticated privilege escalation and remote code execution through low-complexity command injection, requiring no user interaction. Administrators are urged to upgrade affected systems to the latest releases to block ongoing attacks and reduce exposure.
read more →

Cisco issues patches for SD‑WAN file upload flaw

🔒 Cisco has released updates fixing a medium‑severity flaw in Cisco Catalyst SD‑WAN Manager (CVE‑2026‑20262) that is being actively exploited. The bug allows an authenticated attacker with write access to create or overwrite files via a vulnerable web UI file upload API, which can be leveraged to escalate privileges. Affected on‑prem and cloud SD‑WAN deployments have fixes available across multiple release tracks; customers are urged to apply patches and audit logs for suspicious WAR uploads.
read more →

Cisco fixes SD‑WAN Manager zero‑day exploited to root

🛡️ Cisco has released patches for a zero-day in Catalyst SD-WAN Manager (formerly SD-WAN vManage), tracked as CVE-2026-20262, which was exploited to escalate to root privileges. The flaw affects all deployment types and results from insufficient validation of user-supplied file uploads, allowing authenticated low-privilege attackers to create or overwrite files via a crafted HTTP request. Cisco PSIRT confirmed active exploitation, provided IOCs, and strongly urged customers to upgrade to fixed releases.
read more →

China-linked actors breach REDCap servers, steal research

🔒 Google Threat Intelligence Group attributes a long-running espionage campaign to UNC6508, a China-linked actor, which exploited exposed REDCap servers to deploy the custom Infinitered malware and exfiltrate sensitive medical research. The intrusion began in September 2023 and persisted through November 2025, with attackers harvesting credentials, maintaining persistent backdoors, and using enterprise email compliance rules to siphon data. Administrators are urged to update REDCap, enable MFA/2SV, and apply provided YARA rules and IoCs to detect infections.
read more →

Weekly Cyber Recap: Active Chrome 0‑Day Patch

⚠️ Google issued fixes for 74 Chrome flaws, including an actively exploited V8 out-of-bounds memory access (CVE-2026-11645). This week's recap highlights exploited enterprise bugs like Oracle PeopleSoft and Check Point VPN, large-scale supply-chain and package abuse in Arch's AUR, and the takedown of a major phishing-as-a-service operation. Practical guidance and trending CVEs round out the update.
read more →

Langflow path traversal allows remote code execution

🚨 Enterprises using the open-source AI orchestration platform Langflow are urged to apply a patch for a high-severity path traversal flaw that enables arbitrary file writes and, in some environments, remote code execution. The vulnerability stems from improper handling of uploaded filenames at the /api/v2/files endpoint and was fixed in version 1.9.0, though exploitation has been observed in the wild. Public proof-of-concept code and exposed instances increase risk for unpatched deployments.
read more →

Palo Alto Warns of Active Exploitation of PAN‑OS Bug

🔒 Palo Alto Networks has observed active exploitation of CVE-2026-0257, an authentication bypass in PAN-OS affecting GlobalProtect portal and gateway components that can enable unauthorized VPN connections. Initial in-the-wild activity was seen on May 17, 2026, though the threat actor remains unidentified. The company provided IoCs and urges customers to search GlobalProtect logs for gateway-connected events and specific client configuration indicators.
read more →

Former school IT worker jailed for prolonged hacks

🔒 A former senior IT support specialist for the Saydel Community School District in Iowa was sentenced to 21 months in prison for repeatedly accessing and sabotaging his former employer’s systems after his April 2023 departure. Prosecutors say he deleted the district’s Facebook page, stripped employees of access to educational platforms, and erased Apple School Manager and Gmail accounts, disrupting classes and causing tens of thousands in remediation costs. He pleaded guilty in January 2026 and must pay $59,668.81 in restitution and serve three years of supervised release with monitoring conditions.
read more →

phpBB fixes decade-old authentication bypass

🔒 Researchers discovered a 10-year-old authentication bypass in phpBB that allows logging in as any user, including administrators. The flaw affects versions 4.0.0-a2 and 3.3.16 and below and can be exploited with a single HTTP request on default configurations. Aikido reported the issue on June 2 and phpBB patched it in version 3.3.17 on June 6; 4.x users must await a safe release.
read more →

CISA Adds One Vulnerability to KEV Catalog

🔔 CISA has added a new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog after observing active exploitation. The advisory reiterates that such vulnerabilities are frequent attack vectors and pose significant risks to the federal enterprise. It references BOD 26-04, which requires Federal Civilian Executive Branch agencies to prioritize rapid remediation of high-risk CVEs listed in the KEV catalog and to assess for compromise prior to patching. CISA urges all organizations to adopt risk-based vulnerability management and offers a KEV Nomination Form for reporting exploited vulnerabilities.
read more →

Maximum-severity Ivanti Sentry flaw now exploited

🔒 Attackers are exploiting a recently patched maximum-severity OS command injection in Ivanti Sentry (formerly MobileIron Sentry), tracked as CVE-2026-10520, to achieve root code execution on Internet-exposed gateways. Ivanti released patches in Sentry R10.5.2, R10.6.2, and R10.7.1, but Shadowserver reports many publicly reachable appliances have already been backdoored. Shadowserver warned that their scans undercount exposures due to blocklisting and urged immediate patching, while Ivanti has not revised its advisory and maintains no evidence of customer exploitation at disclosure.
read more →

Path traversal in Langflow exploited to write files

🛡️ A high-severity path traversal flaw (CVE-2026-5027) in the AI development platform Langflow is being actively exploited to write arbitrary files to exposed servers. Tenable discovered the issue, which stems from unsanitized filenames in the POST /api/v2/files endpoint, and disclosed it on March 27, 2026. Patches were released in langflow-base 0.8.3 and Langflow 1.9.0, and users are urged to upgrade to version 1.10.0.
read more →

High-severity Langflow path traversal under active exploit

🔒 A critical path traversal flaw, CVE-2026-5027 (CVSS 8.8), in the open-source Langflow low-code AI platform is being actively exploited, per VulnCheck. The issue stems from unsanitized 'filename' input to the POST /api/v2/files endpoint, allowing attackers to write files to arbitrary filesystem locations. Tenable attempted multiple responsible disclosures before public details were released in late March 2026. Public exposure of roughly 7,000 Langflow instances increases exploitation risk across North America and beyond.
read more →

Microsoft patches Exchange Server XSS zero-day exploit

🛡️ Microsoft released updates to fix an actively exploited Exchange Server XSS vulnerability (CVE-2026-42897) that allows remote attackers to execute arbitrary JavaScript in Outlook Web Access without privileges. The flaw affects Exchange Server 2016, 2019, and Subscription Edition; Microsoft initially deployed a temporary mitigation via the Exchange Emergency Mitigation Service and now urges admins to install the June 2026 security updates and retain mitigations for added protection.
read more →

ServiceNow flaw exploited to gain deeper access

🔒 ServiceNow disclosed a security incident after unidentified actors exploited a vulnerability to obtain unauthorized, deeper access to some customer instances. On June 5, 2026, the company applied a security update to hosted instances to restrict access to an endpoint so only authenticated users can reach it. ServiceNow detected anomalous activity and confirmed successful queries against instance tables for a subset of customers, who have been notified. The issue affects customers on the Australia platform release or those with specific pre-Australia configuration changes.
read more →

Critical Veeam RCE Flaw Affects Domain-Joined Servers

🔒 Veeam released updates to fix a critical remote code execution vulnerability in Backup & Replication (CVE-2026-44963) that affects 12.x builds up to 12.3.2.4465 and was patched in 12.3.2.4854. Any authenticated low-privilege domain user can exploit the issue, but only domain-joined installations are impacted. Veeam noted version 13.x is not affected due to architectural changes and urged customers to apply updates promptly as attackers commonly reverse-engineer patches.
read more →

Check Point warns of IKEv1 VPN authentication flaw

🔒 Check Point released emergency hotfixes for IKEv1-related VPN vulnerabilities after confirming active exploitation of a critical authentication bypass. The primary flaw (CVE-2026-50571) can let unauthenticated attackers establish VPN sessions without valid passwords, providing a foothold for further intrusions. A second issue (CVE-2026-50752) risks MITM interference in site-to-site VPNs. Check Point urges immediate patching and migration to IKEv2 where possible.
read more →

AI-driven worm shows autonomous host-level exploitation

🧩 Researchers at the University of Toronto built and tested a proof-of-concept self-replicating worm driven by a locally hosted open-weight large language model. In isolated experiments on a deliberately vulnerable 33-host network, the agent identified dozens of vulnerabilities, gained elevated access across most targeted hosts, and autonomously replicated to a majority of the network without using any commercial AI API. The team highlights how runtime reasoning and ingestion of fresh advisories break single-CVE patching assumptions and argues containment must focus on host and network controls rather than vendor API measures.
read more →