< ciso
brief />
Tag Banner

All news with #active exploitation tag

684 articles · page 7 of 35

ABB AC500 V3: Stack Buffer Overflow in CMS AES-GCM

ABB reports a stack-based buffer overflow in AC500 V3 when parsing CMS (Auth)EnvelopedData with AEAD ciphers like AES-GCM. An oversized IV in ASN.1 parameters may be copied into a fixed-size stack buffer without length checks, allowing an out-of-bounds write before authentication. This can cause crashes, DoS, or potential RCE. ABB issued firmware 3.9.0 HF1 to correct the issue; no workaround exists.
read more →

Critical Linux Kernel LPE 'copy.fail' Vulnerability

⚠ copy.fail is a severe Linux kernel local privilege escalation disclosed on 29 April 2026 with a working proof-of-concept. It abuses the kernel crypto API (AF_ALG sockets) together with splice() to write four bytes at a time directly into the page cache of files the attacker does not own, leaving on-disk files unchanged. The exploit works unmodified across Ubuntu, RHEL, Debian, SUSE, Amazon Linux and Fedora, bypasses checksum-based monitoring, and has no race or per-distro offsets; the mainline fix landed on 1 April and distros are rolling patches.
read more →

cPanel Vulnerability Exposes Hosting Supply Chain Risks

🔒 A recently disclosed cPanel vulnerability, tracked as CVE-2026-41940, is being exploited at scale to deploy backdoors, plant SSH keys, steal credentials, and compromise hosting systems. Researchers at XLab link much of the activity to a long-running group called Mr_Rot13, with automated scans from over 2,000 attacker IPs observed after the late-April disclosure. The incident highlights weak visibility into hosting control planes and urges organizations to treat exposed control panels as high-priority incidents: patch immediately, rotate credentials, hunt for webshells, and review logs for persistence.
read more →

TeamPCP Publishes Malicious Checkmarx Jenkins Plugin

🔒 Checkmarx confirmed a modified Jenkins AST plugin was published to the Jenkins Marketplace after attackers used stolen credentials to push malicious code. The company released v2.0.13-848.v76e89de8a_053 on GitHub and the Marketplace and says this release addresses the incident. It advised users to ensure they run 2.0.13-829.vc72453fa_1c16 (published Dec 17, 2025) or later. Researchers attribute the activity to TeamPCP.
read more →

JDownloader Site Compromise Replaced Installers with RAT

⚠ The official JDownloader website was compromised between May 6 and May 7, 2026, and attackers replaced alternative Windows and Linux installers with malicious payloads. The Windows binaries deploy a heavily obfuscated Python-based remote access trojan, while the Linux shell installer installs SUID-root components and persistence. Developers say the CMS was abused to alter download links without host-level access and have taken the site offline to investigate. Users who ran affected installers should treat systems as compromised, verify installers' digital signatures (AppWork GmbH) and consider reinstalling and rotating credentials.
read more →

Ivanti EPMM: Five Vulnerabilities, One Actively Exploited

🔐 Ivanti disclosed five vulnerabilities in its on‑premises Endpoint Manager Mobile (EPMM) suite, and one—CVE-2026-6973—has been added to CISA’s Known Exploited Vulnerabilities Catalog due to active exploitation. Updated EPMM releases resolving the issues are available and administrators are urged to apply patches and rotate administrative credentials immediately. The defects include improper input validation, access control failures, and certificate validation errors, and Ivanti says it is using AI tools to help identify additional vulnerabilities. Organizations should also review enrollment settings such as Apple Device Enrollment and assess whether legacy on‑premises MDM fits a Zero Trust model.
read more →

CISA Adds KEV Entry for BerriAI LiteLLM SQLi Risk Now

🔔 CISA added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-42208, a SQL injection affecting BerriAI LiteLLM. The agency cites evidence of active exploitation and notes that SQLi remains a common, high-risk vector. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV-listed flaws by their due dates. CISA urges all organizations to prioritize timely remediation as part of routine vulnerability management.
read more →

Critical PAN-OS Captive Portal Zero-Day Exploited Widely

⚠️ Palo Alto Networks has confirmed a critical zero-day in PAN-OS's Captive Portal (CVE-2026-0300) that allows unauthenticated remote code execution as root on exposed PA and VM series firewalls. Reporting indicates suspected state-sponsored actors exploited the flaw for nearly a month. Palo Alto plans updates beginning May 13; customers should restrict or disable the portal until patches are available.
read more →

Ivanti EPMM RCE (CVE-2026-6973) Under Active Exploitation

🛡️ Ivanti warns of a high-severity flaw, CVE-2026-6973 (CVSS 7.2), in Endpoint Manager Mobile (EPMM) that has been observed in limited active exploitation and permits remote code execution for remotely authenticated users with administrative access. The issue affects on-premises EPMM versions before 12.6.1.1, 12.7.0.1, and 12.8.0.1 and was released alongside patches for four additional vulnerabilities. CISA added CVE-2026-6973 to its KEV catalog with a May 10, 2026 remediation deadline; Ivanti advises applying updates and rotating credentials as appropriate.
read more →

PAN-OS Critical RCE Exploit Observed in the Wild - May 2026

⚠️ Palo Alto Networks disclosed that threat actors attempted and later succeeded in exploiting a critical buffer overflow, CVE-2026-0300, in the PAN-OS User-ID Authentication Portal, enabling unauthenticated remote code execution as root. Unit 42 linked activity to a suspected state-sponsored cluster tracked as CL-STA-1132, noting shellcode was injected into an nginx worker. Customers are advised to restrict access to trusted zones or disable the portal if unused, and to apply fixes expected to begin rolling out on May 13, 2026.
read more →

CISA Adds Ivanti EPMM Vulnerability to KEV Catalog

🔔 CISA has added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-6973, an Ivanti Endpoint Manager Mobile (EPMM) improper input validation flaw. CISA cites evidence of active exploitation and emphasizes the significant risk this class of vulnerability poses to the federal enterprise. The agency reminds FCEB agencies of remediation requirements under BOD 22-01 and strongly urges all organizations to prioritize timely fixes.
read more →

MAXHUB Pivot Client Vulnerability Exposes Emails Now

⚠️The MAXHUB Pivot client (versions prior to v1.36.2) contains a vulnerability (CVE-2026-6411) that can expose tenant email addresses and related metadata in cleartext due to a hardcoded AES key embedded in the application. An attacker who obtains the encrypted data can decrypt it, and the product's MQTT enrollment mechanism may be abused to register multiple unauthorized devices, potentially causing denial of service. MAXHUB released v1.36.2 via OTA; update immediately.
read more →

Critical PAN-OS Buffer Overflow Targets Exposed Firewalls

🔒 Palo Alto Networks warned of a critical buffer overflow in PAN-OS affecting the User-ID Authentication Portal (CVE-2026-0300) that can allow unauthenticated attackers to execute code as root on exposed PA- and VM-Series firewalls. The vendor says only portals reachable from untrusted IPs are at risk; Prisma Access, Cloud NGFW and Panorama are not impacted. Customers are advised to restrict portal access, disable the Captive Portal if unused, disable Response Pages on untrusted interfaces, and apply mitigations until patched builds roll out in May.
read more →

Critical PAN-OS Buffer Overflow Exploited in the Wild

⚠️ Palo Alto Networks has warned of a critical buffer overflow (CVE-2026-0300) in the User-ID Authentication Portal component of PAN-OS, allowing unauthenticated remote code execution as root. The flaw carries a CVSS of 9.3 when the portal is internet-accessible (8.7 for internal-only access). Palo Alto reports limited in-the-wild exploitation targeting publicly accessible portals; fixes are scheduled to begin May 13, 2026. Administrators should restrict or disable the portal until patches are applied.
read more →

DAEMON Tools Installers Trojanized in Supply-Chain Attack

⚠️ DAEMON Tools installers hosted on the official site were trojanized beginning April 8, delivering a backdoor to thousands of systems worldwide. Compromised, digitally signed installers (versions 12.5.0.2421–12.5.0.2434) contained malicious code in binaries such as DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. The initial payload is an information stealer used to profile victims; select hosts received a lightweight second-stage backdoor capable of executing commands and loading code in memory. In at least one targeted case researchers observed deployment of a more advanced QUIC RAT, and Kaspersky warns the campaign evaded detection for nearly a month.
read more →

Student Hacks TETRA System, Stops Taiwan High-Speed Trains

🔴 A 23-year-old university student in Taiwan was arrested after allegedly interfering with the country's TETRA-based communications for the Taiwan High Speed Rail (THSR). Authorities say he used SDR equipment and handheld radios to transmit a high-priority 'General Alarm' on April 5, forcing emergency brakes and halting four trains for 48 minutes. Investigators found decoded radio parameters and an accomplice who supplied critical THSR settings. Equipment including 11 radios, an SDR and a laptop were seized; the suspect faces criminal charges and was released on NT$100,000 bail.
read more →

Supply-Chain Attack Compromises DAEMON Tools Installers

🛡️ Kaspersky has identified a supply-chain compromise that trojanized installers for DAEMON Tools, distributed from the vendor’s official site and signed with developer certificates. The affected builds (12.5.0.2421–12.5.0.2434) have been backdoored since April 8, 2026, with three core binaries modified to deploy an implant. The implant contacts an observed C2 domain (env-check.daemontools.cc) to receive shell commands that download and execute follow-on payloads, including a .NET collector and a loader/backdoor pair. Kaspersky observed thousands of initial infection attempts worldwide while more advanced payloads were selectively delivered to a small number of targets in Russia, Belarus, and Thailand; AVB Disc Soft has been notified.
read more →

Critical PHP Code Injection in MetInfo CMS (CVE-2026-29014)

⚠️ New findings from VulnCheck and the NVD confirm that MetInfo CMS versions 7.9, 8.0 and 8.1 contain an unauthenticated PHP code injection vulnerability (CVE-2026-29014, CVSS 9.8) that allows remote attackers to execute arbitrary code. The defect is located in /app/system/weixin/include/class/weixinreply.class.php and results from insufficient sanitization of Weixin API inputs. On non‑Windows hosts a preexisting /cache/weixin/ directory (created by the official WeChat plugin) is required for exploitation. MetInfo released patches on April 7, 2026, but active exploitation was observed beginning April 25 and escalated on May 1, with most activity originating from China and Hong Kong IPs.
read more →

Critical RCE in Weaver E-cology Actively Exploited

⚠️ A critical unauthenticated remote code execution flaw (CVE-2026-22679, CVSS 9.8) in Weaver (Fanwei) E-cology 10.0 (prior to 20260312) is being actively exploited in the wild. The vulnerability exists in the /papi/esearch/data/devops/dubboApi/debug/method endpoint, where attacker-controlled parameters can invoke command-execution helpers. Weaver released patches on 2026-03-12; administrators should apply those updates, restrict access to debug/management endpoints, and use published detection scripts to hunt for exposed or compromised instances.
read more →

Weekly Cyber Recap: Attackers Shift to Long-Term Occupation

🚨This week’s telemetry shows attackers moving from quick breaches to persistent occupation across SaaS, CI/CD and hosting panels. CVE-2026-41940 in cPanel/WHM and the Linux Copy Fail bug (CVE-2026-31431) are being actively exploited alongside supply-chain compromises that weaponize developer pipelines. Social engineering — including vishing that bypasses MFA — and AI-assisted phishing kits are scaling attacks. Prioritize urgent CVEs, rotate pipeline credentials, and treat sessions and routine pipeline runs as potentially hostile.
read more →