< ciso
brief />
Tag Banner

All news with #active exploitation tag

684 articles · page 8 of 35

CISA: 'Copy Fail' Linux Flaw Now Actively Exploited

🔒CISA warns that threat actors are actively exploiting the Linux "Copy Fail" vulnerability tracked as CVE-2026-31431. The flaw exists in the kernel's algif_aead cryptographic algorithm interface and lets unprivileged local users gain root by writing four controlled bytes to the page cache of any readable file. Theori published a "100% reliable" Python PoC; vendors are issuing kernel fixes and CISA has ordered federal patches under BOD 22-01.
read more →

Critical cPanel Flaw Hits Southeast Asian Government Sites

🔒 A previously unknown actor exploited CVE-2026-41940, a critical authentication-bypass in cPanel/WHM, to target government and military domains in Southeast Asia and a smaller cluster of MSPs and hosting providers worldwide. The activity, observed by Ctrl-Alt-Intel on May 2, 2026, originated from IP 95.111.250[.]175 and used public proof-of-concepts alongside a separate custom exploit chain against an Indonesian defense portal. The attacker abused hard-coded credentials and a CAPTCHA bypass to perform authenticated SQL injection and RCE, then deployed AdapdixC2, OpenVPN, Ligolo and systemd-based persistence to pivot and exfiltrate sensitive documents. Researchers report rapid, widespread weaponization of the vulnerability by multiple third parties, including Mirai variants and a ransomware strain.
read more →

CISA Adds Actively Exploited Linux Root Bug to KEV

🛡️ The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently disclosed Linux kernel vulnerability, CVE-2026-31431, to its Known Exploited Vulnerabilities (KEV) catalog following evidence of in-the-wild activity. The privilege escalation bug, nicknamed Copy Fail, affects kernels shipped since 2017 and carries a CVSS score of 7.8; patches are available in kernel releases 6.18.22, 6.19.12, and 7.0. Security vendors warn the flaw is especially dangerous for containerized environments when the algif_aead module is exposed on hosts, and detecting exploitation is difficult because the exploit uses legitimate system calls.
read more →

cPanel Auth Bypass CVE-2026-41940 Exploited Widely Now

🚨 An emergency update for cPanel and WHM addresses a critical authentication bypass (CVE-2026-41940) that has been actively exploited to access control panels. Security researchers report attackers have breached thousands of servers and deployed a Go-based Linux encryptor tied to the "Sorry" ransomware, which appends the .sorry extension. The encryptor uses ChaCha20 for file encryption with the symmetric key protected by an embedded RSA-2048 public key, and victims receive a README.md ransom note directing contact via a fixed Tox ID. Administrators should install the update and verify backups immediately.
read more →

Linux 'Copy Fail' CVE-2026-31431: kernel LPE across distros

🛡️ Microsoft Defender Security Research warns of CVE-2026-31431, known as 'Copy Fail', a high-severity local privilege escalation in the Linux kernel crypto subsystem that impacts many major distributions and cloud workloads. An unprivileged user can abuse AF_ALG and splice() to corrupt the page cache and deterministically escalate to root, enabling container escape and multi-tenant compromise. Apply vendor patches or block AF_ALG socket creation immediately and hunt for indicators of compromise.
read more →

Windows Shell Spoofing Vulnerability Forces Rapid Patching

⚠️ Microsoft and CISA have warned that a Windows shell spoofing vulnerability (CVE-2026-32202) is being actively exploited and has prompted a CISA directive requiring federal agencies to patch by May 12. Microsoft says exploitation can expose sensitive data though it does not allow full system takeover. Security experts caution the situation was aggravated by an incomplete earlier fix for CVE-2026-21510, creating a patch gap between vendor updates and organizational deployment. CISOs face a difficult balance between rapid remediation and careful testing to avoid service disruption, and are urged to apply interim mitigations where possible.
read more →

Linux 'Copy Fail' LPE (CVE-2026-31431) Roots Major Distros

⚠ An exploit for a local privilege escalation called Copy Fail (CVE-2026-31431) has been published, allowing unprivileged users to obtain root on Linux kernels released since 2017. The issue was discovered by Theori using its Xint Code AI pentesting platform, reported on March 23, and patched upstream in early April by reverting an in-place crypto optimization. Researchers published a compact Python PoC that they demonstrated against multiple distributions and recommend disabling the algif_aead interface as an interim mitigation while vendors distribute kernel updates.
read more →

ABB IEC 61850 Vulnerability Affects Select Control Devices

⚠️ ABB disclosed CVE-2025-3756, a vulnerability in its IEC 61850 MMS client stack that can be triggered by a specially crafted 61850 packet. Exploitation requires access to the IEC 61850 network and can force PM 877, CI850, and CI868 modules into a fault state requiring manual restart or repeatedly crash S+ Operations IEC 61850 connectivity, causing denial-of-service. System 800xA IEC61850 Connect is not affected. ABB has released or scheduled firmware updates and advises customers to apply fixes and follow mitigating guidance.
read more →

CISA Adds CVE-2026-41940 to Known Exploited Vulnerabilities

⚠️ CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities Catalog for a missing authentication for critical function in WebPros cPanel & WHM and WP2 (WordPress Squared). The issue has evidence of active exploitation and represents a common attack vector that can enable unauthorized access to protected functionality. Under BOD 22-01 federal agencies are required to remediate affected systems by the specified due date; CISA strongly urges all organizations to prioritize patching, apply vendor updates, and implement compensating controls promptly.
read more →

Critical cPanel and WHM Authentication Bypass Zero-Day

🔒 CVE-2026-41940 is a critical authentication-bypass affecting cPanel, WHM, and WP Squared that has been actively exploited in the wild. The flaw stems from a CRLF injection in login and session-loading where unsanitized Authorization header data is written into server-side session files before authentication, enabling bypass. Patches released April 28 cover multiple 11.x release lines and vendors published detection scripts; short-term mitigations include blocking management ports (2083/2087/2095/2096) or stopping cpsrvd and cpdavd.
read more →

Linux LPE 'Copy Fail' Vulnerability CVE-2026-31431

🔒 Security researchers Xint.io and Theori disclosed a high-severity Linux local privilege escalation tracked as CVE-2026-31431 and dubbed Copy Fail, which lets an unprivileged user write four controlled bytes into the page cache of any readable file to gain root. The defect stems from a logic flaw in the kernel cryptographic algif_aead module introduced in 2017. A compact 732‑byte Python exploit can inject shellcode into a setuid binary such as /usr/bin/su and spawn a root shell, and major distributions have issued advisories.
read more →

Researchers uncover industrial sabotage malware from 2005

🧩 Researchers at SentinelOne uncovered a modular malware framework compiled in 2005 that targeted engineering modeling software by corrupting high‑precision floating‑point arithmetic. The framework uses an embedded Lua VM inside a malicious service loader (svcmgmt.exe) and includes a kernel rootkit, fast16.sys, which applies 101 pattern rules to modify infected executables. The implant appears crafted for strategic sabotage, selectively altering simulation outputs and spreading across network shares to compromise multiple workstations.
read more →

Popular WordPress Redirect Plugin Hid Dormant Backdoor

🛡️ The Quick Page/Post Redirect WordPress plugin, installed on more than 70,000 sites, contained a hidden backdoor introduced through a malicious self-update mechanism in versions 5.2.1 and 5.2.2. Researcher Austin Ginder discovered the issue after multiple infections on his Anchor hosting fleet led to a security alert; WordPress.org has temporarily pulled the plugin pending review. A tampered 5.2.3 build, delivered from an external anadnet[.]com server, added a passive backdoor that only triggers for logged-out users and appears to have been used for cloaked SEO spam. Impacted sites should uninstall the plugin and replace it with a clean copy of version 5.2.4 from WordPress.org when it is available.
read more →

Qinglong auth bypass flaws exploited for cryptomining

🚨 Researchers at Snyk warn that two authentication-bypass bugs in the open-source Qinglong task scheduler (affecting versions ≤2.20.1) have been chained to achieve remote code execution. The issues — CVE-2026-3965 and CVE-2026-4047 — stem from middleware authorization mismatches with Express.js routing, enabling unauthenticated access to admin endpoints. Active exploitation since early February has resulted in cryptominer deployments that run as a hidden '.fullgc' process and pull multiple binary variants from an external host. Users should apply the patched release and verify middleware authentication enforcement immediately.
read more →

CISA Adds Actively Exploited ConnectWise and Windows Flaws

🔒 CISA has added two actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2024-1708, a path traversal flaw in ConnectWise ScreenConnect (CVSS 8.4), and CVE-2026-32202, a protection-mechanism failure in Windows Shell (CVSS 4.3). Patches were released in February 2024 and April 2026 respectively. The additions follow observed real-world exploitation, including chaining with other CVEs and activity attributed to both nation-state and criminal groups. Affected organizations and federal agencies should prioritize remediation and verify deployments of the relevant fixes.
read more →

Critical LiteLLM Pre-auth SQLi Allows Database Access

🔓 LiteLLM's proxy contains a pre-auth SQL injection in its API key verification, tracked as CVE-2026-42208. An attacker can send a crafted Authorization header to any LLM API route to read and modify the proxy database, exposing API keys, master keys, provider credentials, and environment secrets. Exploitation was observed about 36 hours after public disclosure and targeted '/chat/completions'. Upgrade to 1.83.7 or apply the suggested workaround and rotate any exposed credentials.
read more →

CISA Adds Two Known-Exploited Vulnerabilities to KEV Catalog

🔔 CISA has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog after observing evidence of active exploitation. The entries are CVE-2024-1708, a path traversal flaw in ConnectWise ScreenConnect, and CVE-2026-32202, a protection mechanism failure in Microsoft Windows. Under BOD 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed flaws by specified due dates, and CISA strongly urges all organizations to prioritize timely remediation as part of vulnerability management.
read more →

Microsoft: Active Exploitation of Windows Shell Bug

🛡️ Microsoft confirmed active exploitation of a patched Windows Shell vulnerability, CVE-2026-32202, after correcting its advisory metadata. The flaw is a spoofing/authentication-coercion issue (CVSS 4.3) that can disclose sensitive information and was addressed in April Patch Tuesday. Akamai researcher Maor Dahan links the defect to an incomplete February fix for CVE-2026-21510 and says an APT28 campaign weaponized LNK/CPL/UNC/SMB chains to harvest credentials.
read more →

CISA Adds Four Actively Exploited Flaws to KEV Catalog

⚠️ CISA added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog affecting SimpleHelp, Samsung MagicINFO 9 Server, and D-Link DIR-823X routers, citing evidence of active exploitation. The listed flaws include two SimpleHelp issues (CVE-2024-57726, CVE-2024-57728), a Samsung path traversal (CVE-2024-7399), and a D-Link command injection (CVE-2025-29635). Agencies are urged to apply fixes or retire affected devices by May 8, 2026.
read more →

CISA: Over 10,000 Zimbra Servers Vulnerable to XSS

⚠️ Shadowserver and CISA warn that more than 10,500 internet-exposed Zimbra Collaboration Suite instances remain vulnerable to an actively exploited cross-site scripting bug tracked as CVE-2025-48700. Synacor issued patches in June 2025, but the flaw can be triggered without user interaction when a maliciously crafted email is viewed in the Classic UI. CISA added the issue to its Known Exploited Vulnerabilities catalog and ordered federal agencies to secure affected servers by April 23.
read more →