< ciso
brief />
Tag Banner

All news with #privilege escalation tag

259 articles · page 2 of 13

CISA warns: actively exploited LiteSpeed cPanel flaw

⚠️ CISA has ordered federal agencies to secure servers against an actively exploited LiteSpeed cPanel user-end plugin flaw (CVE-2026-48172 / CVE-2026-54420) that can allow privilege escalation to root on shared hosting with CloudLinux/CageFS. The vulnerability affects plugin versions prior to 2.4.8 and stems from a UNIX symlink following weakness; LiteSpeed released urgent updates and provided a command to check for compromises. Agencies must comply with BOD 26-04 and remediate systems within three days per the Known Exploited Vulnerabilities Catalog.
read more →

Cisco SD‑WAN flaw highlights management‑plane risk

🔒 Cisco has issued patches for a vulnerability in Cisco Catalyst SD‑WAN Manager that allowed authenticated users with write access to create or overwrite files via a flawed file upload API, potentially enabling later privilege escalation to root. The flaw, tracked as CVE‑2026‑20262, affected all deployment types and had been subject to limited exploitation; Cisco advised upgrading to fixed releases and reviewing logs for suspicious uploads such as index.jsp and .war files. Analysts warn that compromise of the management plane can lead to network‑wide control‑plane impact and recommend isolating, hardening, and tightly monitoring SD‑WAN managers as Tier‑0 assets.
read more →

Critical FortiSandbox Vulnerabilities Actively Exploited

🛡️ Fortinet's FortiSandbox platform is being actively targeted by attackers exploiting multiple recently patched critical vulnerabilities. The flaws (CVE-2026-39813, CVE-2026-39808, CVE-2026-25089) enable unauthenticated privilege escalation and remote code execution through low-complexity command injection, requiring no user interaction. Administrators are urged to upgrade affected systems to the latest releases to block ongoing attacks and reduce exposure.
read more →

Cisco issues patches for SD‑WAN file upload flaw

🔒 Cisco has released updates fixing a medium‑severity flaw in Cisco Catalyst SD‑WAN Manager (CVE‑2026‑20262) that is being actively exploited. The bug allows an authenticated attacker with write access to create or overwrite files via a vulnerable web UI file upload API, which can be leveraged to escalate privileges. Affected on‑prem and cloud SD‑WAN deployments have fixes available across multiple release tracks; customers are urged to apply patches and audit logs for suspicious WAR uploads.
read more →

CISA Adds LiteSpeed cPanel Plugin Flaw to KEV

🛡️ CISA added CVE-2026-54420 — a privilege escalation flaw in the LiteSpeed cPanel plugin — to its Known Exploited Vulnerabilities catalog, requiring Federal Civilian Executive Branch agencies to remediate by June 18, 2026. The vulnerability (CVSS 8.5) allows a user with FTP or web shell access to escalate to root on shared hosting running CloudLinux/CageFS. LiteSpeed advised running a specific grep check in cPanel logs to detect exploitation and recommended upgrading to LiteSpeed WHM Plugin v5.3.2.1 (with cPanel plugin v2.4.8) or later. Namecheap reported the issue on May 31, 2026.
read more →

Cisco fixes SD‑WAN Manager zero‑day exploited to root

🛡️ Cisco has released patches for a zero-day in Catalyst SD-WAN Manager (formerly SD-WAN vManage), tracked as CVE-2026-20262, which was exploited to escalate to root privileges. The flaw affects all deployment types and results from insufficient validation of user-supplied file uploads, allowing authenticated low-privilege attackers to create or overwrite files via a crafted HTTP request. Cisco PSIRT confirmed active exploitation, provided IOCs, and strongly urged customers to upgrade to fixed releases.
read more →

LiteLLM vulnerability chain allows full server takeover

🛡️ Researchers at Obsidian Security disclosed a three-bug chain in the open-source LiteLLM proxy that lets a default low-privilege account escalate to full proxy admin and achieve remote code execution. The combined issue, rated CVSS 9.9, exposes provider keys, decryption secrets, prompts, and responses. Maintainer BerriAI published fixes in LiteLLM v1.83.14-stable (May 2); users should upgrade and audit admin roles, guardrails, callbacks, and keys.
read more →

Critical SearchLeak flaw in Microsoft 365 Copilot

🔒 Microsoft fixed a critical vulnerability chain named SearchLeak in Microsoft 365 Copilot Enterprise that could let attackers exfiltrate mailbox, OneDrive, and SharePoint data via a single crafted URL. Researchers at Varonis chained a parameter-to-prompt injection, an HTML rendering race condition, and a Bing SSRF-based CSP bypass to make Copilot fetch and leak sensitive content. The issue was addressed as CVE-2026-42824 and requires no user action now that Microsoft patched it.
read more →

Microsoft patches YellowKey, GreenPlasma and MiniPlasma zero-days

🔒 Microsoft released June 2026 updates fixing three zero-day vulnerabilities disclosed by a researcher known as "Nightmare Eclipse." The flaws—GreenPlasma and MiniPlasma (local privilege escalation) and YellowKey (WinRE backdoor)—allow attackers to escalate to SYSTEM or bypass BitLocker on affected Windows systems. Microsoft provided mitigations for YellowKey and criticized the public disclosure of proof-of-concepts.
read more →

Microsoft issues record June 2026 security fixes

🛡️ Microsoft released fixes for a record 206 security vulnerabilities in June 2026, including three publicly disclosed flaws. The update covers 39 Critical and 167 Important issues, spanning privilege escalation, RCE, information disclosure, spoofing, and more, and includes two non-Microsoft CVEs and numerous Chromium fixes affecting Edge. Notable patched bugs include a Windows Kernel use-after-free (CVE-2026-45657), HTTP.sys and DHCP client RCEs, and several BitLocker bypasses addressed after public PoCs.
read more →

Microsoft fixes 200 CVEs in June Patch Tuesday

🛡️ Microsoft released June Patch Tuesday updates addressing 200 vulnerabilities, including three publicly disclosed zero-days. The release fixed 33 critical CVEs — mostly remote code execution bugs — and a large share of elevation-of-privilege issues. Notable fixes include the HTTP/2 Bomb DoS (CVE-2026-49160), a BitLocker bypass (CVE-2026-50507), and a CTFMON elevation-of-privilege flaw (CVE-2026-45586). Administrators are advised to prioritize patches for several high-risk RCE and EoP bugs affecting Windows components like Win32K, Remote Desktop, DHCP client, and Hyper-V.
read more →

Active privilege escalation flaw in Cisco SD‑WAN Manager

🔒 Cisco warns of an actively exploited high-severity vulnerability in Catalyst SD‑WAN Manager that allows authenticated attackers to escalate privileges to root. The flaw, tracked as CVE-2026-20245, requires local access and netadmin privileges but can be chained with prior authentication bypass bugs. Cisco recommends upgrading to the latest versions, checking edge device configurations, saving logs, and contacting TAC if indicators of compromise are found.
read more →

One-character Linux kernel flaw enables local root

🔒 Security researchers published a working exploit for a Linux kernel use-after-free, CVE-2026-23111, allowing unprivileged local users to escalate to root and escape containers. The bug resides in nf_tables packet-filtering code and was patched upstream on February 5, 2026; public exploit write-ups appeared in April and June. The reachable setup requires nf_tables and unprivileged user namespaces, common defaults on many desktops and server builds. Administrators should update their kernel packages and reboot to mitigate the issue.
read more →

Cisco warns of active exploit in SD‑WAN Manager

🔒 Cisco has disclosed a high-severity vulnerability, CVE-2026-20245, affecting Catalyst SD‑WAN Manager deployments including on-premises and cloud variants. The flaw allows an authenticated local attacker with netadmin privileges to execute arbitrary commands as root by uploading a crafted file due to insufficient input validation. Cisco noted limited cases of configuration changes pushed to edge devices and advised applying fixes for related authentication bypass flaws (CVE-2026-20182) while monitoring /var/log/scripts.log for IoCs.
read more →

Critical Cisco SD‑WAN Manager zero‑day enables root

🔒 Cisco warned of a high‑severity, unpatched zero‑day (CVE-2026-20245) in the Catalyst SD‑WAN Manager actively exploited to escalate to root. The flaw affects all deployment types and results from insufficient validation of user‑supplied input, allowing local attackers with netadmin privileges to perform command injection by uploading crafted files. Cisco noted limited cases of configuration changes pushed to edge devices and advised contacting TAC and producing admin‑tech logs for investigation. Patches are not yet available; customers were urged to install fixes for related CVE-2026-20182.
read more →

Cisco fixes UC Manager file-write to root escalation

🔒 Cisco patched a server-side request forgery in Unified Communications Manager tracked as CVE-2026-20230 that allows unauthenticated network attackers to write files to the underlying OS and then escalate to root. Proof-of-concept exploit code is public and Cisco's PSIRT has not observed in-the-wild use yet. The flaw requires the WebDialer service to be running; WebDialer is off by default but exposes systems where it is enabled. Patching is recommended (14SU6 for the 14 train; interim COP or disable WebDialer until 15SU5 for the 15 train).
read more →

ThreatsDay bulletin: escalating cyber intrusion trends

🛡️ Cisco patched a high-severity SSRF in Unified Communications Manager, while Russia reported large-scale mobile spyware targeting officials and ongoing investigations. Threat actors continue to distribute VIP Keylogger via layered social engineering and JavaScript loaders, and DriveSurge operates a widespread malware delivery network using ClickFix and FakeUpdates. U.S. sanctions hit major Iranian crypto exchanges; RMM and trusted tools are increasingly abused for persistence and privilege escalation.
read more →

Cisco warns of critical Unified CM flaw

🔒 Cisco released updates for a critical Unified Communications Manager (Unified CM) vulnerability (CVE-2026-20230) that can be exploited via SSRF to gain root privileges. The issue affects systems with the WebDialer service enabled, which is disabled by default, and Cisco notes public proof-of-concept exploit code is available. Administrators should apply patched versions 14SU6 or 15SU5 or temporarily disable the WebDialer service as a mitigation.
read more →

Critical Kirki Flaw Lets Attackers Hijack WordPress

🔒 Defiant's Wordfence observed active exploitation of a critical privilege escalation bug (CVE-2026-8206) in the Kirki - Freeform Page Builder plugin, used on over 500,000 sites. The flaw, introduced in version 6.0.0 and present through 6.0.6, exposes a password reset endpoint that sends reset links to attacker-supplied emails, enabling account takeover. Vendor patched the issue in v6.0.7; site owners must update or disable the plugin immediately.
read more →

Google June 2026 Android security updates

🔒 Google released June 2026 security patches addressing 124 Android vulnerabilities, including a high-severity Framework flaw tracked as CVE-2025-48595 affecting Android 14–16 and 16 QPR2. This privilege escalation bug can be exploited without user interaction and is reportedly under limited targeted exploitation. The June updates arrive in two batches, with the latter adding kernel and chipset fixes from MediaTek, Qualcomm, Unisoc, and others.
read more →