< ciso
brief />
Tag Banner

All news with #active exploitation tag

684 articles · page 5 of 35

Critical WP Maps Pro Flaw Enables Site Takeover

🛡️ WP Maps Pro, a popular WordPress plugin, contains a critical privilege escalation vulnerability (CVE-2026-8732) that allows unauthenticated attackers to create administrator accounts and take over sites. The flaw affects all versions up to 6.1.0 and was fixed in 6.1.1. Security researcher David Brown reported the issue, and Wordfence has observed active exploitation attempts. Site owners must update immediately to mitigate ongoing attacks.
read more →

Palo Alto fixes auth-bypass in GlobalProtect VPN

🔒 Palo Alto Networks patched CVE-2026-0257, an authentication bypass on the GlobalProtect portal and gateway, after attackers began exploiting the flaw. Initially rated medium, the issue was raised to high severity following multiple exploitation attempts on unpatched PAN-OS devices. Rapid7 observed forged-cookie probes and VPN IP assignment to internal networks, prompting urgent patching guidance. CISA added the vulnerability to its KEV Catalog and federal agencies must remediate by June 1.
read more →

Critical WP Maps Pro Bug Lets Attackers Create Admins

🔒 A critical vulnerability in WP Maps Pro (CVE-2026-8732) allowed unauthenticated attackers to create administrator accounts via a flawed "temporary access" AJAX endpoint. Discovered by researcher David Brown, the issue affected versions 6.1.0 and older and relied on a publicly exposed nonce in frontend JavaScript, making protections ineffective. Defiant observed active exploitation attempts and blocked thousands of requests, and the vendor released WP Maps Pro 6.1.1 to address the flaw. Site owners are urged to update immediately to prevent account takeover and persistent backdoors.
read more →

PAN-OS GlobalProtect Authentication Bypass Exploited

🔒 Palo Alto Networks disclosed a medium-severity authentication bypass (CVE-2026-0257, CVSS 7.8) affecting PAN-OS and Prisma Access GlobalProtect portals and gateways when authentication override cookies and a specific certificate configuration are used. The vendor warned on May 13, 2026, and updated on May 29 after confirming limited in-the-wild exploit attempts targeting unpatched devices. Rapid7 reported successful exploitation beginning May 17 with a second wave on May 21, in some cases granting VPN IP assignment and internal network access. Temporary mitigations include disabling authentication override or generating a dedicated certificate for the override feature.
read more →

Unpatched critical Gogs vulnerability highlights open-source risks

🔒 A critical argument-injection vulnerability in the self-hosted Git service Gogs allows any authenticated user to execute code remotely by submitting a pull request with a malicious branch name. Discovered by a Rapid7 researcher, the flaw remains unpatched after months and the Gogs maintainer did not respond to disclosure requests. Rapid7 warns default configurations permit easy account and repo creation, enabling exploitation without admin privileges. Organizations using Gogs should restrict network access and disable self-registration until a fix is available.
read more →

FortiClient EMS exploit delivers credential stealer

🛡️ Arctic Wolf researchers observed threat actors exploiting a critical FortiClient EMS vulnerability (CVE-2026-35616) in May 2026 to push a credential-stealing payload disguised as an endpoint update. The attackers abused EMS management pathways to run malicious PowerShell commands via FortiClient components, modifying configurations to deploy a .cmd script and Base64-encoded PowerShell that downloads and exfiltrates data. Fortinet patched the flaw in FortiClient EMS 7.4.7 and later; attackers targeted managed endpoints and used fortitray.exe to launch the attack.
read more →

CISA orders rapid patch for exploited cPanel plugin

🔒 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch a critical, actively exploited privilege escalation flaw in the LiteSpeed cPanel user-end plugin, tracked as CVE-2026-48172. LiteSpeed released urgent updates to fix the issue in the lsws.redisAble function and advised administrators to check logs and block suspicious IPs. CISA added the flaw to its known exploited vulnerabilities catalog and required patches by May 29 under BOD 22-01.
read more →

ABB Terra AC Heap Overflow Risks and Fixes

🔒 ABB reported a heap-based buffer overflow in select Terra AC EV chargers that can be triggered via crafted OCPP messages. Exploitation may allow heap pollution, denial-of-service, altered firmware behavior, or possible remote code execution; the vendor has released patched firmware versions. ABB strongly recommends avoiding unencrypted HTTP for OCPP connections and applying updates promptly to mitigate remote exploitation risks.
read more →

ABB B&R Automation Runtime SDM Denial of Service

🔒 An Improper Resource Locking vulnerability in the System Diagnostics Manager (SDM) of B&R Automation Runtime versions before 6.3 and before Q4.93 may allow an unauthenticated network attacker to delete data and cause denial of service. The vendor corrected the issue in Automation Runtime 6.3 and Q4.93 and notes SDM is disabled by default in AR 6. B&R recommends applying updates, restricting SDM access, using TLS/mutual TLS, and limiting webserver access to trusted IPs.
read more →

ABB zenon Remote Transport Missing Authentication

🔒 ABB has identified a vulnerability in affected versions of the ABB Ability™ zenon Remote Transport Service that permits unauthorized use of the Reboot OS function, allowing an attacker to trigger a system reboot without required authentication. Remote exploitation requires prior access to the target network. Vendors report no evidence of active exploitation at this time. Workarounds include restricting network access and disabling the zensyssrv.exe service when Remote Transport is not needed.
read more →

CERT-In mandates rapid patching to curb AI-enabled threats

🔒 CERT-In has issued a 38‑page blueprint urging organisations to remediate known exploited, internet‑facing critical vulnerabilities within 12 hours where feasible to counter AI‑assisted automation of vulnerability discovery and exploitation. The guidance emphasizes continuous, risk‑based vulnerability and patch management, Zero Trust, defence‑in‑depth, supply chain scrutiny, and secure‑by‑design practices. It also prescribes tiered remediation timeframes for critical and high‑severity flaws and recommends temporary mitigations when patches are unavailable.
read more →

Weekly Cyber Recap: Supply Chain and Active Flaws

⚡ This week's recap covers supply-chain compromises, resurfacing legacy bugs, and security tools themselves being targeted. Key incidents include a poisoned Nx Console VS Code extension leading to a GitHub breach, new active exploitation of Microsoft Defender flaws, and a nine-year-old Linux kernel privilege bug. Teams face increasing targeted phishing and widespread botnet scanning, while organizations scramble to patch critical CVEs and secure exposed services.
read more →

LiteSpeed cPanel plugin bug allows root script execution

🔐 A critical vulnerability, CVE-2026-48172 (CVSS 10.0), in the LiteSpeed User-End cPanel Plugin allows privilege escalation via the lsws.redisAble function, enabling arbitrary scripts to run as root. The flaw affects plugin versions 2.3 through 2.4.4 and is being actively exploited; LiteSpeed fixed it in v2.4.5 and later bundled releases. Administrators are urged to upgrade to cPanel plugin v2.4.7 (with WHM plugin v5.3.1.0) or uninstall the user-end plugin if immediate patching is not feasible.
read more →

CISA Adds Drupal SQL Injection to KEV Catalog

🛡️ The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical SQL injection flaw in Drupal Core (CVE-2026-9082, CVSS 6.5) to its Known Exploited Vulnerabilities list after evidence of active exploitation. The vulnerability affects all supported Drupal Core versions and could enable privilege escalation and remote code execution via crafted requests using the database abstraction API. Patches were released across multiple 8.x–11.x branches, with manual patches required for Drupal 9.5 and 8.9.
read more →

Trend Micro Apex One zero-day exploited in attacks

🛡️ Trend Micro disclosed a zero-day in its Apex One on-premises server (CVE-2026-34926), a directory traversal flaw that can let a local attacker with administrative access inject malicious code to be deployed to agents. The vendor noted the bug is restricted to on-prem installations and requires prior admin credentials, but observed at least one attempted exploitation in the wild. CISA added the vulnerability to its actively exploited list and ordered federal agencies to patch by June 4, while Trend Micro also released fixes for seven related SEP agent privilege escalation issues.
read more →

Drupal SQL injection flaw now being exploited

🔒 Drupal has warned administrators that a "highly critical" SQL injection vulnerability, tracked as CVE-2026-9082, is being actively targeted in the wild. Discovered by Google/Mandiant researcher Michael Maturi, the flaw affects Drupal's database abstraction API and allows specially crafted requests to trigger arbitrary SQL injection on sites using PostgreSQL. Exploitation requires no authentication and can lead to remote code execution, privilege escalation, and data disclosure; Drupal has released updates and urges immediate patching.
read more →

Microsoft warns of two actively exploited Defender flaws

🔒 Microsoft disclosed two Microsoft Defender vulnerabilities under active exploitation: CVE-2026-41091, a local privilege escalation rated 7.8 that can allow an attacker to gain SYSTEM privileges via improper link resolution, and CVE-2026-45498, a denial-of-service issue rated 4.0. Both are addressed in Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7. Systems with Defender disabled are not affected; updates are applied automatically through malware definitions and the Microsoft Malware Protection Engine.
read more →

SonicWall VPN MFA Bypass: CVE-2024-12802 Exploits and Risks

🔒 ReliaQuest observed attackers brute-forcing credentials and bypassing MFA on SonicWall Gen6 SSL‑VPN appliances by exploiting CVE-2024-12802, allowing rapid internal access and attempts to deploy Cobalt Strike and a vulnerable driver. SonicWall warns that installing the firmware update alone on Gen6 devices does not fully mitigate the flaw; administrators must manually reconfigure LDAP settings to restore MFA enforcement. Gen7/Gen8 devices are fully remediated by firmware updates.
read more →

Webworm APT Expands into Europe, Deploys New Backdoors

🔒 ESET researchers report that the China-aligned APT group Webworm expanded operations in 2025 to target European government organizations in Belgium, Italy, Poland, Serbia and Spain, and also compromised a university in South Africa. Analysis presented at ESET World on 19 May by Robert Lipovsky described the campaign as largely semi-opportunistic, with some cases linked to legacy vulnerabilities such as a discontinued SquirrelMail flaw. The group introduced two new backdoors — Discord-based EchoCreep and Microsoft Graph-based GraphWorm — and continues to use a complex set of proxy tools and cloud-based data exfiltration techniques.
read more →

GitHub Breach: ~3,800 Repos Stolen via VS Code Extension

🔒 GitHub confirmed that roughly 3,800 internal repositories were breached after an employee installed a trojanized VS Code extension; the company removed the malicious version from the Marketplace and isolated the compromised device. It says its current assessment indicates exfiltration was limited to GitHub-internal repositories and that it has found no evidence so far of customer data outside the affected repos being impacted. The incident is under active investigation while GitHub continues incident response.
read more →