< ciso
brief />
Tag Banner

All news with #active exploitation tag

684 articles · page 6 of 35

Max-Severity ChromaDB Flaw Lets Attackers Hijack Servers

⚠️ A max-severity flaw (CVE-2026-45829) in the Python FastAPI server of ChromaDB allows unauthenticated attackers to load and execute remote models before authentication is enforced, enabling arbitrary code execution on exposed servers. The issue impacts PyPI-distributed releases used widely in AI retrieval stacks; a 1.5.9 release exists but it is unclear if the fix addresses this vulnerability. Mitigations include using the Rust frontend, avoiding public exposure of the Python API, and restricting network access to the ChromaDB API port.
read more →

Agentic AI Drives Surge in Mobile App Cyberattacks

📈 Digital.ai's 2026 Application Security Threat Report found that 87% of monitored customer-facing apps were attacked in 2026, up sharply from 55% in 2022. The firm says agentic AI has lowered the skill and time required for threat actors to inspect code, generate exploits and adapt malware. Financial services, automotive and medical device apps were most targeted, and iOS attacks have nearly closed the gap with Android.
read more →

GitHub Actions Compromised via Imposter Commit Attack

🔒 Security researchers from StepSecurity report that the popular GitHub Actions workflow actions-cool/issues-helper was hijacked by attackers who moved existing tags to imposter commits in an adversary-controlled fork. The malicious commit downloads the Bun JavaScript runtime, reads memory from the Runner.Worker process to harvest CI/CD credentials, and exfiltrates them to an attacker-controlled domain. A second action, actions-cool/maintain-one-comment, had 15 tags similarly altered. GitHub has disabled repository access and only workflows pinned to full commit SHAs remain unaffected.
read more →

Zero-Day Exploit Targets Windows BitLocker TPM Protections

⚠️A new zero-day called YellowKey, published this week by a researcher using the alias Nightmare-Eclipse, demonstrates a reliable bypass of default Windows 11 BitLocker deployments. The exploit circumvents disk encryption that relies solely on the TPM-stored key and requires physical access to the affected machine. Organizations that mandate BitLocker, including government contractors, should reassess device physical security and BitLocker configuration.
read more →

NGINX Heap Overflow CVE-2026-42945 Exploited in the Wild

⚠️ A high-severity heap buffer overflow (CVE-2026-42945, CVSS 9.2) in the ngx_http_rewrite_module of NGINX Plus and NGINX Open (versions 0.6.27–1.30.0) is being exploited in the wild shortly after disclosure. The flaw, reportedly introduced in 2008, can allow unauthenticated attackers to crash worker processes or, when Address Space Layout Randomization (ASLR) is disabled and certain configurations are present, achieve remote code execution. Users are advised to apply F5's fixes and review server configurations urgently.
read more →

Critical Funnel Builder Flaw Actively Injects Skimmers

⚠️A critical vulnerability in the Funnel Builder WordPress plugin (affecting versions before 3.15.0.3) is being actively exploited to inject malicious JavaScript into WooCommerce checkout pages. Sansec reports attackers are planting fake Google Tag Manager-like scripts in the plugin's External Scripts setting to load payment skimmers. FunnelKit released a patch in v3.15.0.3; site owners should update immediately and inspect checkout scripts.
read more →

Critical Funnel Builder WordPress Plugin Exploited

⚠️ A critical, unauthenticated vulnerability in the Funnel Builder WordPress plugin (versions before 3.15.0.3) is being actively exploited to inject malicious JavaScript into WooCommerce checkout pages. Attackers modify the plugin’s global settings via an exposed checkout endpoint to add a fake analytics script that opens a WebSocket and delivers a payment card skimmer. The injected skimmer harvests card numbers, CVVs, billing details and other customer data; site owners should update to 3.15.0.3 and inspect External Scripts.
read more →

Cisco warns of exploited SD-WAN authentication bypass

⚠ Cisco has disclosed a maximum-severity authentication bypass in its Catalyst SD-WAN Controller and Catalyst SD-WAN Manager platforms that has been observed exploited in the wild. The flaw lets unauthenticated remote actors craft control-connection requests to bypass peer authentication and gain administrative privileges. Cisco has released updates and urges immediate patching because no workarounds exist. The issue is tracked as CVE-2026-20182 with a CVSS score of 10.0 and was added to CISA’s KEV list.
read more →

Microsoft: Exchange Server XSS flaw actively exploited

⚠️ Microsoft disclosed a new actively exploited vulnerability, CVE-2026-42897 (CVSS 8.1), a spoofing bug caused by cross-site scripting in on-premises Exchange Server. An attacker can execute arbitrary JavaScript by sending a crafted email that is opened in Outlook Web Access. Microsoft offers a temporary mitigation via the Exchange Emergency Mitigation Service (enabled by default) and provides an EOMT PowerShell script for environments that cannot use the service; Exchange Online is not affected.
read more →

CISA Adds Cisco SD-WAN CVE to KEV; FCEB Remediate Now

🔒 CISA has added CVE-2026-20182, a critical authentication bypass in Cisco Catalyst SD-WAN Controller, to its Known Exploited Vulnerabilities catalog and requires Federal Civilian Executive Branch agencies to remediate by May 17, 2026. The flaw is rated 10.0 (CVSS) and allows an unauthenticated remote attacker to obtain administrative privileges. Cisco links active exploitation to threat cluster UAT-8616 and advises customers to follow its advisories and mitigation guidance.
read more →

Critical Auth Bypass in Burst Statistics Plugin Patched

🔒 Wordfence disclosed a critical authentication bypass in the Burst Statistics WordPress plugin (CVE-2026-8181) that lets unauthenticated actors impersonate admin users via REST API requests and even create rogue admin accounts. The flaw, introduced in versions 3.4.0 and 3.4.1, misinterprets wp_authenticate_application_password() return values, treating errors or null as successful authentication. Users should upgrade to 3.4.2 or disable the plugin immediately.
read more →

Critical Cisco SD-WAN Controller Zero-Day Exploits

⚠ Cisco warns of an actively exploited authentication bypass in Cisco Catalyst SD-WAN Controller (CVE-2026-20182) rated 10.0, affecting on-premises and SD-WAN Cloud Manager deployments. The vulnerability stems from a peering authentication mechanism that "is not working properly" and can grant high-privileged, non-root administrative access and NETCONF control. Cisco detected exploitation in May, released security updates as the only full remediation, and advises restricting management-plane access and reviewing peering and auth logs for IOCs.
read more →

Cisco fixes CVE-2026-20182 SD-WAN Controller bypass

🔒 Cisco has released fixes for a maximum-severity authentication bypass in Cisco Catalyst SD-WAN Controller (CVE-2026-20182) that it says has been exploited in limited attacks. The flaw allows a remote unauthenticated attacker to become an authenticated peer and obtain administrative privileges by abusing the peering authentication mechanism. Affected deployments include On-Prem, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP); Cisco urges immediate patching and recommends auditing /var/log/auth.log for suspicious peering or publickey entries.
read more →

Threatsday Bulletin: PAN-OS RCE, AI Risks, Supply-Chain

🔥 Palo Alto released fixes for CVE-2026-0300, a critical PAN-OS buffer-overflow exploited in the wild to drop payloads like EarthWorm and ReverseSocks5. The bulletin also highlights new and recurring threats including zero-auth API data leaks at an AI training vendor, an FCC extension for router updates, supply-chain contests, and sophisticated phishing campaigns. Several incidents employ weaponized attachments, tokenizer tampering in AI models, and open-source tools to achieve stealthy remote access and long-term persistence.
read more →

Ongoing Exploitation of Cisco Catalyst SD-WAN Systems

🔔 Talos reports active, in-the-wild exploitation of multiple Cisco Catalyst SD‑WAN vulnerabilities, including CVE-2026-20182 and a chained set (CVE-2026-20133, CVE-2026-20128, CVE-2026-20122) that enable unauthorized access, persistent webshell deployment, and privilege escalation. The threat cluster UAT-8616 and other adversaries have deployed JSP webshells such as XenShell, Godzilla, and Behinder and have installed miners, C2 implants, and reconnaissance and tunneling tools post-compromise. Customers should urgently apply Cisco updates, follow Talos detection guidance and Snort/ClamAV signatures, and engage TAC for incident support and remediation.
read more →

CISA Adds New Entry to Known Exploited Vulnerabilities

⚠️ CISA added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog on 2026-05-14 after confirming active exploitation. The agency warns that such vulnerabilities are common attack vectors and present significant risk to the federal enterprise. CISA directs organizations to follow Emergency Directive 26-03 and BOD 22-01 guidance, assess exposure, and apply mitigations or discontinue affected Cisco SD-WAN products if mitigations are not available.
read more →

PraisonAI Authentication Bypass CVE-2026-44338 Exploited

🔒 PraisonAI contained a critical authentication bypass (CVE-2026-44338) in its legacy Flask API server that sets AUTH_ENABLED = False and AUTH_TOKEN = None by default. Exploitation allows unauthenticated callers to enumerate configured agents via /agents and to trigger workflows through /chat, potentially consuming model quotas and exposing run results. The flaw affects versions 2.5.6–4.6.33 and was fixed in v4.6.34; operators are advised to update, audit deployments, and rotate exposed credentials.
read more →

PraisonAI Authentication Bypass Scanned by Internet

🔍 Sysdig reported that a newly disclosed authentication bypass in the open-source orchestration framework PraisonAI was probed by internet scanners about 3 hours and 44 minutes after a GitHub advisory published on May 11. The flaw stems from a legacy Flask API server that ships with authentication disabled by default, affecting versions 2.5.6 through 4.6.33 and fixed in 4.6.34. Researchers urge immediate upgrades and monitoring for the “CVE-Detector/1.0” user-agent and suspicious /api/agents and related paths.
read more →

Avada Builder Vulnerabilities Put One Million Sites at Risk

⚠️ Two newly disclosed flaws in the Avada Builder WordPress plugin place roughly one million sites at risk of arbitrary file read (CVE-2026-4782, CVSS 6.5) and unauthenticated time-based SQL injection (CVE-2026-4798, CVSS 7.5). The issues were reported to Wordfence in March and fixed in 3.15.2 and fully resolved in 3.15.3. Site owners are urged to update immediately and audit subscriber accounts and wp-config.php for signs of compromise.
read more →

Fuji Electric Tellus Privilege Escalation Advisory

🔒 CISA published an advisory describing a privilege-escalation vulnerability in Fuji Electric Tellus arising from a kernel driver that grants all users read and write permissions. Successful exploitation could elevate a user to system privileges and may enable temporary denial of service, file opening, or file deletion. The vendor recommends installing Tellus only with administrator privileges; CISA notes the issue is not remotely exploitable and no public exploitation has been reported. CISA advises implementing ICS defensive measures and following established reporting procedures.
read more →