< ciso
brief />
Tag Banner

All news with #active exploitation tag

684 articles · page 4 of 35

Google issues emergency Chrome update addressing zero-day

🔒 Google has released an emergency update for Chrome addressing 74 vulnerabilities, including a high-severity zero-day that has been exploited in the wild. The bulletin, published on June 8, fixes 17 critical, 55 high-severity and two medium-severity flaws, with updates rolling out to Windows, Mac and Linux users over the coming days and weeks. The exploited V8 bug, CVE-2026-11645, was reported April 27 and earned the researcher $55,000.
read more →

Active privilege escalation flaw in Cisco SD‑WAN Manager

🔒 Cisco warns of an actively exploited high-severity vulnerability in Catalyst SD‑WAN Manager that allows authenticated attackers to escalate privileges to root. The flaw, tracked as CVE-2026-20245, requires local access and netadmin privileges but can be chained with prior authentication bypass bugs. Cisco recommends upgrading to the latest versions, checking edge device configurations, saving logs, and contacting TAC if indicators of compromise are found.
read more →

One-character Linux kernel flaw enables local root

🔒 Security researchers published a working exploit for a Linux kernel use-after-free, CVE-2026-23111, allowing unprivileged local users to escalate to root and escape containers. The bug resides in nf_tables packet-filtering code and was patched upstream on February 5, 2026; public exploit write-ups appeared in April and June. The reachable setup requires nf_tables and unprivileged user namespaces, common defaults on many desktops and server builds. Administrators should update their kernel packages and reboot to mitigate the issue.
read more →

Critical Check Point VPN Flaw Actively Exploited

🔒 Check Point has reported active exploitation of a critical logic flaw in certificate validation affecting Remote Access and Mobile Access VPNs configured to use deprecated IKEv1. The issue, tracked as CVE-2026-50751 (CVSS 9.3), lets unauthenticated attackers bypass user authentication and establish VPN sessions without valid passwords. Exploitation requires IKEv1 enabled, legacy clients accepted, and no machine certificate requirement; activity was first observed in early May 2026 and has targeted a few dozen organizations globally.
read more →

Hotfix Released for IKEv1 VPN Critical Vulnerabilities

🔒 Check Point Research disclosed active exploitation of CVE-2026-50751, a critical authentication bypass affecting Remote Access and Mobile Access VPNs using the deprecated IKEv1 key exchange. Exploitation allows establishment of VPN sessions without valid passwords; observed attacks have targeted a few dozen organizations and included Qilin ransomware activity. Customers using IKEv1 are urged to apply the hotfix immediately and follow remediation guidance.
read more →

Critical Everest Forms Pro Flaw Lets Site Takeover

⚠️ A critical vulnerability (CVE-2026-3300) in Everest Forms Pro versions 1.9.12 and earlier allows unauthenticated attackers to execute arbitrary PHP on affected WordPress sites via the plugin's Complex Calculation feature. The issue stems from user-supplied values being inserted into an eval() string without properly escaping single quotes, enabling code injection. Wordfence telemetry shows active exploitation creating rogue administrator accounts, and a patch was issued by the developer on March 18.
read more →

CISA Adds Actively Exploited SolarWinds Flaw

🔒 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity DoS vulnerability in SolarWinds Serv-U (CVE-2026-28318, CVSS 7.5) to its Known Exploited Vulnerabilities catalog, citing active exploitation. The bug causes uncontrolled resource consumption and crashes the Serv-U service via specially crafted POST requests using Content-Encoding: deflate. SolarWinds released a fix in Serv-U version 15.5.4 HF1 and recommends limiting access and blocking requests with content-encoding as mitigations. Federal agencies must remediate by June 19, 2026.
read more →

Cisco warns of active exploit in SD‑WAN Manager

🔒 Cisco has disclosed a high-severity vulnerability, CVE-2026-20245, affecting Catalyst SD‑WAN Manager deployments including on-premises and cloud variants. The flaw allows an authenticated local attacker with netadmin privileges to execute arbitrary commands as root by uploading a crafted file due to insufficient input validation. Cisco noted limited cases of configuration changes pushed to edge devices and advised applying fixes for related authentication bypass flaws (CVE-2026-20182) while monitoring /var/log/scripts.log for IoCs.
read more →

CISA warns of active exploitation of Serv‑U DoS flaw

⚠️ CISA warns that threat actors are actively exploiting a recently patched high-severity SolarWinds Serv-U flaw (CVE-2026-28318) that allows unauthenticated attackers to crash Serv-U file-transfer services via specially crafted POST requests using Content-Encoding: deflate. SolarWinds issued Serv-U 15.5.4 Hotfix 1 to address an uncontrolled resource consumption weakness and advised mitigation steps for admins who cannot immediately patch. Shodan and Shadowserver show thousands of Serv-U instances exposed online, prompting CISA to add the flaw to its Known Exploited Vulnerabilities Catalog and require federal agencies to remediate by June 19 under BOD 22-01.
read more →

Critical Cisco SD‑WAN Manager zero‑day enables root

🔒 Cisco warned of a high‑severity, unpatched zero‑day (CVE-2026-20245) in the Catalyst SD‑WAN Manager actively exploited to escalate to root. The flaw affects all deployment types and results from insufficient validation of user‑supplied input, allowing local attackers with netadmin privileges to perform command injection by uploading crafted files. Cisco noted limited cases of configuration changes pushed to edge devices and advised contacting TAC and producing admin‑tech logs for investigation. Patches are not yet available; customers were urged to install fixes for related CVE-2026-20182.
read more →

Critical RCE in Everest Forms Pro Actively Exploited

🛡️ A critical remote code execution flaw in Everest Forms Pro for WordPress has been actively exploited to hijack sites. Wordfence analysis shows the vulnerability (CVE-2026-3300, CVSS 9.8) allows unauthenticated attackers to run PHP via the plugin's Calculation add-on when "Complex Calculation" is enabled. The bug affects all versions through 1.9.12 and was patched in 1.9.13; administrators are urged to update immediately. Wordfence telemetry recorded tens of thousands of blocked exploit attempts and identified indicators such as a rogue admin named "diksimarina" and a recurring source IP.
read more →

CISA alerts on active Android and Linux kernel exploits

🔒 CISA warns that threat actors are actively exploiting high-severity vulnerabilities in the Android Framework and the Linux kernel, now added to its Known Exploited Vulnerabilities catalog. Google confirms CVE-2025-48595 affects Android 14–16 and may be under limited targeted exploitation, addressed by June 2026 patches. The kernel flaw CVE-2022-0492 impacts multiple branches and can enable container escapes via cgroups v1, with fixes available in specified kernel releases. Federal agencies must remediate or mitigate by the June 5 deadline under BOD 22-01.
read more →

Two-year-old Oracle WebLogic flaw now actively exploited

🔒 US federal agencies were ordered to patch a two-year-old high-severity Oracle WebLogic Server vulnerability, CVE-2024-21182, after its addition to CISA’s Known Exploited Vulnerabilities catalog. The flaw affects supported versions 12.2.1.4.0 and 14.1.1.0.0 and was patched by Oracle in the July 2024 CPU. Security experts note that inclusion in the KEV indicates active weaponization and highlight persistent slow patching across organizations as a key risk.
read more →

Critical Kirki Flaw Lets Attackers Hijack WordPress

🔒 Defiant's Wordfence observed active exploitation of a critical privilege escalation bug (CVE-2026-8206) in the Kirki - Freeform Page Builder plugin, used on over 500,000 sites. The flaw, introduced in version 6.0.0 and present through 6.0.6, exposes a password reset endpoint that sends reset links to attacker-supplied emails, enabling account takeover. Vendor patched the issue in v6.0.7; site owners must update or disable the plugin immediately.
read more →

Critical HP Poly VoIP Flaw Enables Remote Root Access

🔒 HP has released patches for a critical buffer overflow in multiple IP conference phones in its Poly Voice line that can allow unauthenticated attackers to gain root on affected devices. The issue, tracked as CVE-2026-0826 and rated 9.2 CVSS, stems from SDP parsing when the ICE feature is enabled; administrators are advised to disable ICE if not needed. Rapid7 researchers released a Metasploit exploit demonstrating the vulnerability, and HP has issued UCS updates to remediate the affected VVX and Trio models.
read more →

Gamaredon leverages WinRAR flaw to deliver modular malware

🛡️ Gamaredon exploited CVE-2025-8088 in WinRAR to deploy an HTML Application payload named GammaPhish, which fetches a VBScript downloader called GammaLoad. Observed in January 2026 by Sekoia, the chain delivers multiple strains including a worm (GammaWorm) that persists via scheduled tasks and hides payloads using NTFS ADS, and a stealer (GammaSteel) that exfiltrates files to AWS S3 or fallback servers. The campaign targets Ukrainian entities and demonstrates a modular, highly obfuscated architecture likely to be reused.
read more →

CISA Adds Oracle WebLogic CVE-2024-21182 to KEV

🔒 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity Oracle WebLogic vulnerability, CVE-2024-21182 (CVSS 7.5), to its Known Exploited Vulnerabilities Catalog after evidence of active exploitation. The flaw permits unauthenticated network attackers to compromise servers via T3 and IIOP protocols and was patched by Oracle in July 2024. Federal agencies are urged to apply fixes by June 4, 2026, to protect critical data and systems.
read more →

Microsoft threatens researcher after Windows exploits

🔒 An anonymous researcher known as “Nightmare Eclipse” has published several significant exploits targeting Microsoft Windows, including a vulnerability that defeats BitLocker. Microsoft has responded with threats of legal action, prompting public debate and recriminations between the company and security community. The situation has raised concerns about disclosure practices, researcher protections, and the balance between security research and corporate legal responses.
read more →

Weekly recap: PAN-OS, Gogs, GlassWorm takedown

🔔 This week's briefing highlights active exploitation of a PAN-OS GlobalProtect authentication bypass (CVE-2026-0257), a critical unauthenticated RCE in Gogs, and the coordinated takedown of GlassWorm C2 infrastructure. Other notable items include a long-standing Linux LPE (CIFSwitch) patched upstream, CERT-In urging rapid patching timelines, and several AI-enabled and supply-chain aided campaigns increasing attacker speed and reach.
read more →

Critical Windows Netlogon RCE Flaw Now Exploited

🔒 The Centre for Cybersecurity Belgium (CCB) warned that threat actors are exploiting a recently patched critical Windows Netlogon vulnerability (CVE-2026-41089). Microsoft patched the stack-based buffer overflow during May 2026 Patch Tuesday, which can allow unauthenticated remote code execution on domain controllers. The CCB urged administrators to apply updates immediately, noting a CVSS score of 9.8, while Microsoft has not yet confirmed active exploitation.
read more →