All news with #zero day exploitation tag

🛡️ The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated federal agencies to patch an actively exploited Oracle WebLogic vulnerability, CVE-2024-21182, by June 4 under BOD 22-01. The flaw affects Oracle WebLogic Server versions 12.2.1.4.0 and 14.1.1.0.0 and enables unauthenticated remote compromise via T3/IIOP. Shodan reports over 1,592 exposed and vulnerable WebLogic instances, and CISA urges all organizations to apply vendor mitigations or discontinue use if fixes are unavailable.

🔒 Google released the June 2026 Android security updates fixing 124 vulnerabilities, including one actively exploited Android Framework zero-day (CVE-2025-48595) affecting devices running Android 14 and later. The company warned of limited, targeted exploitation and urged users to update to the latest Android versions. Two patch bundles (2026-06-01 and 2026-06-05) were issued; Pixel devices will receive updates immediately while other vendors may delay. Google also addressed 18 critical flaws across System, Framework, and Qualcomm components, and previously patched other zero-days this year.

🛡️ Responsible Disclosure in the Age of AI argues that frontier AI systems now autonomously discover software vulnerabilities at unprecedented speed and scale, exposing long-standing technical debt in the software industry. The piece traces the evolution of assurance practices and disclosure frameworks and highlights growing tension between offensive and defensive cyber equities, particularly in the U.S. and China. It calls for coordinated national and international efforts to accelerate remediation, patch management, and investment in automated repair capabilities to close the narrowing window before adversaries exploit these advances.

🎥 ESET Chief Security Evangelist Tony Anscombe reviews major cybersecurity stories from May 2026, focusing on industrial control system intrusions, an AI-directed data theft, a Google-reported AI-developed zero-day, and crypto kiosk scams. He outlines attack vectors such as weak passwords and internet-exposed systems, notes the partial failure of an IT-to-OT escalation, and previews mitigation advice for defenders. Watch Tony’s video for practical recommendations and refer to the April edition for additional context.

🛡️ An unpatched zero-day in the Gogs self-hosted Git service allows authenticated non-admin users to gain remote code execution on Internet-facing instances. The flaw, an argument injection in the Merge() code path affecting Gogs 0.14.2 and 0.15.0+dev, can be exploited via malicious branch names during a rebase-merge operation. Researcher Jonah Burges reported the issue in March; maintainers have acknowledged but not yet patched it. Shadowserver and Shodan count thousands of exposed Gogs servers, many with default open registration enabled.

🛡️ Microsoft has urged the security research community to follow Coordinated Vulnerability Disclosure (CVD) after a researcher publicly released details and exploit code for multiple Windows zero‑days, including issues in Defender and BitLocker. The company said several disclosed flaws were not shared with Microsoft before publication, exposing customers to unnecessary risk and prompting security teams to work continuously on protections and updates. Some of the disclosed flaws — BlueHammer, RedSun and UnDefend — are reported to be actively exploited in the wild, and vendor actions have included takedowns of the researcher’s GitHub account.

🛡️ Microsoft has criticized researchers for publicly disclosing six zero-day vulnerabilities before patches were available, calling such actions irresponsible and risky. The company said its security teams are working around the clock to investigate and mitigate issues including privilege escalation and bypass flaws in Defender and BitLocker. Microsoft urged adherence to industry-standard coordinated vulnerability disclosure (CVD) practices, typically allowing a 90-day embargo for patch development. It cautioned that uncoordinated releases can place proof-of-concept exploit code into malicious hands and undermines efforts to protect customers.

🔍 Verizon’s 2025 DBIR finds exploited vulnerabilities were the initial cause in 31% of breaches, overtaking credential abuse at 13%. The report highlights slower remediation: only 26% of critical CISA KEVs were fully fixed, with median patch time rising to 43 days. Analysts warn AI-driven exploit development, sprawling supply chains, and growing vulnerability volumes are worsening the threat landscape, urging risk-based continuous patching and stronger identity controls.

🛡️ A high-severity ASP.NET ViewState deserialization flaw (CVE-2026-5426) in Digital Knowledge KnowledgeDeliver was exploited as a zero-day to deploy the Godzilla web shell and later Cobalt Strike Beacon. Google Mandiant and GTIG found attackers abused hard-coded machineKey values in vendor-supplied web.config files to craft malicious __VIEWSTATE payloads, gaining unauthenticated RCE on affected instances prior to February 24, 2026. The intrusion included file system escalation, tampering with site JavaScript to deliver a fake security plugin, and a targeted encrypted payload named for the victim organization.

🔒 Kaspersky researchers disclosed CVE-2026-25262, a BootROM-level flaw in Qualcomm’s Sahara/EDL implementation that enables arbitrary write operations during device recovery. The bug, a CWE-123 Write-What-Where condition in the ARM Primary Boot Loader, permits attackers with brief physical access via USB to upload and execute malicious code before the OS boots. Qualcomm confirmed the issue, issued a security bulletin, and pledged fixes for future silicon while advising mitigation steps for affected devices.

🛡️ Trend Micro disclosed a zero-day in its Apex One on-premises server (CVE-2026-34926), a directory traversal flaw that can let a local attacker with administrative access inject malicious code to be deployed to agents. The vendor noted the bug is restricted to on-prem installations and requires prior admin credentials, but observed at least one attempted exploitation in the wild. CISA added the vulnerability to its actively exploited list and ordered federal agencies to patch by June 4, while Trend Micro also released fixes for seven related SEP agent privilege escalation issues.

🔒 Microsoft released emergency fixes addressing two zero-day vulnerabilities in the malware protection components of Microsoft Defender. The flaws let local attackers escalate to system-level privileges or disrupt the anti-malware service, both of which aid malware persistence and control. CISA added CVE-2026-41091 and CVE-2026-45498 to its KEV catalog after in-the-wild exploitation was detected, and administrators are urged to update the Malware Protection Engine and Antimalware Platform to the specified versions immediately.

🔒 Researchers disclosed a critical vulnerability in ChromaDB (CVE-2026-45829) that allows unauthenticated attackers to execute arbitrary code and access sensitive data on affected servers. The flaw is a race condition in the FastAPI-based API server that fetches and executes remote embedding model code before performing authentication checks. HiddenLayer says versions 1.0.0 through 1.5.8 are affected and many public instances remain vulnerable; they recommend using the Rust implementation and restricting network access until a patch is available.

🛡️ Google inadvertently published details of an unfixed Chromium vulnerability that allows JavaScript to continue running after the browser is closed, enabling remote code execution via persistent Service Workers. Reported by researcher Lyra Rebane in December 2022, the issue affects all Chromium-based browsers and was marked fixed in February 2024 but a patch was not shipped. The bug tracker entry was briefly made public on May 20, revealing the exploit still works in Chrome Dev 150 and Edge 148, making attacks stealthier and increasing risk until an emergency fix is released.

🛡️ This week's ThreatsDay bulletin highlights a string of notable cybersecurity developments, from 47 zero-day exploits revealed at Pwn2Own Berlin 2026 to active Linux rootkit evolution. It summarizes warnings about agentic AI, targeted intrusions using AI agents, and advisories on token and dependency leaks. The report also covers nation-state tensions, ransomware activity, encrypted communications, and campaigns abusing identity recovery flows.

🛡️ Microsoft released emergency updates on Wednesday to address two actively exploited Microsoft Defender zero-day vulnerabilities. The first, CVE-2026-41091, affects the Microsoft Malware Protection Engine and can be abused to achieve SYSTEM privileges via improper link resolution before file access. The second, CVE-2026-45498, impacts the Defender Antimalware Platform and may be used to trigger denial-of-service; Microsoft says updates should deploy automatically but advises administrators to verify platform and signature versions and confirm successful installation.

🔒 Qualys disclosed a nine-year-old Linux kernel vulnerability tracked as CVE-2026-46333 (ssh-keysign-pwn) that stems from the __ptrace_may_access() code path. The flaw can allow an unprivileged local user to disclose sensitive files such as /etc/shadow and SSH host private keys and to execute arbitrary commands as root on default installs of Debian, Fedora, and Ubuntu. A public proof-of-concept appeared after a kernel commit; vendors have issued patches and recommend raising kernel.yama.ptrace_scope to 2 as a temporary mitigation.

🔒 Microsoft is evaluating a patch for a newly disclosed zero-day, YellowKey, which can bypass BitLocker encryption and allow local attackers to read and modify files. The company issued an advisory for CVE-2026-45585 and provided immediate mitigation guidance while a fix is considered. Organizations are urged to limit physical access to vulnerable devices, audit their environments, and strengthen Secure Boot and firmware integrity controls.

🛡️ Microsoft has published mitigations for the YellowKey Windows BitLocker zero-day (tracked as CVE-2026-45585) after a public proof-of-concept revealed attackers can place crafted FsTx files on USB or EFI media and boot into WinRE to bypass protections. The company advises removing autofstx.exe from the Session Manager BootExecute value and reestablishing BitLocker trust for WinRE. It also recommends switching devices from TPM-only to TPM+PIN to require a pre-boot PIN. These steps are interim mitigations until a security update is available.

🔒 Researchers report a six-year-old elevation-of-privilege vulnerability in the Windows Cloud Filter driver cldflt.sys remains exploitable despite a 2020 patch. Nightmare Eclipse reworked a Google Project Zero PoC by James Forshaw into an exploit called MiniPlasma, which can elevate a local user to SYSTEM on many builds. The issue, tracked as CVE-2020-17103, involves undocumented key-creation behavior and is race-dependent; Microsoft declined immediate comment.