< ciso
brief />
Tag Banner

All news with #zero day exploitation tag

446 articles

New LegacyHive Windows zero-day enables privilege escalation

🔒 A researcher known as Nightmare Eclipse published a proof-of-concept named LegacyHive after Microsoft's July 2026 Patch Tuesday, claiming it exploits a vulnerability in the Windows User Profile Service. The PoC has been intentionally modified to require additional credentials, making exploitation harder than earlier releases. Analysts note successful exploitation allows non-admin users to modify the classes registry hive and achieve code execution on admin login. Detection queries for Microsoft Defender for Endpoint were published shortly after.
read more →

Chained Zero-Day Flaws in Siemens ROX II Switches

🛡️ This Unit 42 advisory, developed in partnership with Siemens, describes a chained exploit of three zero-day vulnerabilities in Siemens ROX II OT switches. The chain (CVE-2025-40948, CVE-2025-40947, CVE-2025-40949) enables arbitrary file disclosure, root privilege escalation and persistent root execution, risking full device compromise. Siemens has issued advisories and a firmware update V2.17.1; Palo Alto Networks provides virtual patching and OT device protections.
read more →

Patch surge strains defenders amid AI‑driven finds

🔥 This week’s Threat Source highlights a record Microsoft Patch Tuesday that fixed 622 vulnerabilities, including two zero‑days being actively exploited. Cisco Talos discloses UAT‑11795, a Russian‑speaking group using trojanized installers to deliver the Python-based Starland RAT and an in-memory PowerShell implant called WLDR agent. The newsletter outlines detection guidance and emphasizes the operational stress on IT teams facing accelerated vulnerability discovery driven by frontier AI research.
read more →

CISA orders federal patching for exploited Oracle EBS flaw

🔒 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch systems by Saturday to mitigate active exploitation of a critical Oracle E-Business Suite vulnerability, tracked as CVE-2026-46817. The flaw in the Oracle Payments File Transmission component allows unauthenticated HTTP access leading to system takeover in low-complexity attacks. Oracle issued fixes in its May 2026 Critical Security Patch Update and urged immediate patching, while security firms and CISA have observed active exploitation. Shadowserver reports over 1,000 Internet-exposed Oracle EBS instances, many in the U.S., prompting CISA to add the flaw to its list of known exploited vulnerabilities and mandate remediation under BOD 26-04.
read more →

Microsoft issues unprecedented July Patch Tuesday updates

🛡️ Microsoft released updates for 570 CVEs on the July 14 Patch Tuesday, prompted by its use of agentic AI to discover flaws. The update batch includes three zero-days (two exploited in the wild) and a large number of elevation-of-privilege, remote code execution and information disclosure bugs. Experts warn this surge is becoming the new normal and urge organizations to adopt risk-based patching, attack-surface reduction and scalable processes.
read more →

SonicWall SMA 1000 Zero‑Days Prompt Urgent Patches

🛡️ SonicWall warned of active exploitation of two zero‑day vulnerabilities affecting Secure Mobile Access (SMA) 1000 series appliances, including an SSRF that scores 10.0 and a post‑auth code injection allowing command execution. Patches are available in platform hotfix builds 12.4.3‑03453, 12.5.0‑02835 and later; customers are urged to apply fixes and perform forensic checks for specific IoCs. CISA added both flaws to its KEV catalog and set a July 17, 2026 deadline for federal agencies.
read more →

SonicWall SMA1000 Zero-Day Flaws Prompt Urgent Patch

🛡️ SonicWall warns customers that two SMA1000 vulnerabilities, CVE-2026-15409 and CVE-2026-15410, are being actively exploited and urges immediate installation of hotfixes. CVE-2026-15409 is a critical SSRF (CVSS 10.0) in the Appliance Work Place interface allowing unauthenticated requests, while CVE-2026-15410 is a high-severity post-authentication code injection (CVSS 7.2) enabling OS command execution. Fixes are available in platform-hotfix versions 12.4.3-03453 and 12.5.0-02835 and later; SonicWall provided IOCs and recommends re-imaging compromised devices.
read more →

Microsoft issues record July security update batch

🔒 Microsoft released updates addressing a record 570 security vulnerabilities in July’s Patch Tuesday, attributing the surge to AI-assisted discovery. Nearly 60 of the flaws are rated critical, and three are confirmed zero-days already exploited in the wild. The fixes include numerous elevation-of-privilege bugs and a BitLocker security bypass; vendors warn that AI speeds both discovery and exploit development.
read more →

Progress confirms ShareFile zero‑day behind shutdown

🛡️ Progress Software confirmed a high‑severity zero‑day in ShareFile Storage Zone Controller that prompted an emergency shutdown of customer Windows servers. The flaw is a path traversal impacting all 5.x and 6.x releases, allowing an authenticated admin to read arbitrary files, write attacker‑controlled content, or enumerate the filesystem. Progress released patches (5.12.5 and 6.0.2), reserved a CVE to be published in two weeks, and currently reports no evidence of customer data breaches.
read more →

AI-Driven Breaches Force Rethink of Incident Response

🛡️ Enterprises face a new class of attacks as threat actors leverage AI agents to automate entire intrusion chains, dramatically compressing the time from initial access to deep compromise. Reports from Sygnia and Sysdig document AI-enabled campaigns that harvest credentials, map services, and persist across cloud environments, often exploiting known vulnerabilities rather than zero-days. Experts warn that traditional, human-speed incident response and hunting are often too slow, and emphasize the need for integrated, AI-assisted defenses and rigorous hygiene: fast patching, secrets rotation, least privilege, segmentation, and automated response playbooks.
read more →

Microsoft warns of rising Windows security updates

🛡️ Microsoft says it is deploying AI-driven analysis to uncover more zero-day vulnerabilities across the Windows codebase, warning customers to expect an increased number of security updates. The company described a multi-model agentic scanning harness (MDASH) and a separate prove pipeline to validate findings, aiming to reduce false positives and shorten review windows. Microsoft also plans to update its Secure Development Lifecycle to address AI-enabled attack techniques while retaining human oversight to ensure update quality.
read more →

Microsoft patches Defender RoguePlanet zero‑day

🛡️ Microsoft released a Malware Protection Engine update to fix a Defender zero-day tracked as CVE-2026-50656, dubbed "RoguePlanet." The vulnerability, disclosed by researcher "Nightmare Eclipse," allows spawning a SYSTEM command prompt via a Defender race condition and reportedly works on fully patched Windows 10 and 11 devices. Microsoft shipped version 1.1.26060.3008 to address the issue after confirming work on a patch on June 16.
read more →

Convicted Operators Run Controversial Cybersecurity Startup

🛡️ A cybersecurity startup called IRIS C2, linked to Calvexa Group LLC, is publicly recruiting researchers and offering large payouts for zero-day exploits. The venture is tied to convicted felons and far-right activists Jack Burkman and Jacob Wohl, who have a history of fake intelligence firms, robocall schemes, and legal penalties. IRIS C2 claims to sell offensive capabilities to governments and says it hires junior talent regardless of formal credentials.
read more →

KDDI breach exposes millions of email accounts

📧 KDDI, Japan's second-largest telecom, disclosed a breach of an email platform used by five ISPs that exposed millions of email addresses and passwords. The company detected the incident on June 17 and says attackers exploited a zero-day in third-party software on May 16. KDDI reported up to 14.22 million affected accounts, with 12.23 million email addresses and 7.62 million passwords exposed, and is forcing password changes and deploying EDR.
read more →

CISA directs federal patch for ColdFusion zero-day

🔒 The U.S. Cybersecurity and Infrastructure Security Agency has ordered federal agencies to patch an actively exploited, maximum-severity vulnerability in Adobe ColdFusion (CVE-2026-48282) by Friday. Adobe published fixes for affected ColdFusion versions last week and urged administrators to install updates immediately. The flaw enables unauthenticated remote code execution in low-complexity attacks and has been observed in the wild soon after disclosure. CISA added the issue to its KEV catalog and invoked BOD 26-04 to enforce remediation timelines for FCEB agencies.
read more →

15-Year-Old Linux GhostLock Flaw Enables Root

🛡️ Researchers at Nebula Security disclosed GhostLock (CVE-2026-43499), a 15-year-old Linux kernel use-after-free that allows any logged-in user to gain root privileges on unpatched systems. The bug, present in mainstream distributions since 2011, requires only ordinary local threading calls and no network access. Nebula developed a 97% reliable exploit that also escapes containers and received $92,337 from Google's kernelCTF bounty. Patching is urgent, with early fixes having introduced a follow-up crash bug and distributions still rolling out the corrected kernel.
read more →

Universities targeted via Roundcube zero‑day chain

🛡️ A suspected China-aligned threat cluster exploited patched and unpatched Roundcube webmail flaws to target physics and engineering departments at U.S. and Canadian universities. The campaign, tracked as UNK_MassTraction and first seen in May 2026, used CVE-2024-42009 XSS to steal credentials and a follow-up RCE CVE-2025-49113 to drop web shells or deploy VShell. The payload, dubbed IceCube, siphons credentials, 2FA tokens and cookies, then attempts persistent access via SquareShell or VShell.
read more →

Januscape: 16-year KVM flaw allows guest-to-host escape

🛡️ A long-standing use-after-free bug in Linux's KVM shadow MMU, tracked as CVE-2026-53359 and dubbed Januscape, lets a guest VM corrupt host shadow-page state and can reliably panic hosts. The public PoC triggers host crashes; the researcher reported an unreleased exploit that achieves full host code execution on Intel and AMD. Fixes were merged June 19, 2026 and backported to stable kernels on July 4, 2026; hosts with nested virtualization should be patched or have nesting disabled.
read more →

Researcher Publishes Mass Open-Source Exploit Dump

🔍 A pseudonymous researcher published an 'Exploitarium' GitHub repository containing over 30 proof-of-concept exploits for zero-day vulnerabilities in many open-source projects without prior vendor notification. The dump, shared from June 27 onwards, targets projects like libssh2, FFmpeg, 7-Zip, Gitea, PHP and others, and the author claims AI-assisted fuzzing using OpenAI models. The release bypassed coordinated vulnerability disclosure, drew debate across the security community, and has led to some CVEs and patches, while others remain under review.
read more →

Critical SimpleHelp RMM authentication bypass exploited

🔒 A critical authentication bypass in SimpleHelp's RMM software was exploited to forge a technician login token and deliver two previously unseen malware families. Researchers at Blackpoint Cyber found the flaw (CVE-2026-48558) allowed unauthenticated token forgery by skipping cryptographic signature checks in OpenID Connect. Attackers abused built-in file transfer and remote execution to deploy a Node.js loader named TaskWeaver and a cross-platform stealer called Djinn Stealer. The vulnerability received a CVSS score of 10 and was patched in late May; CISA added it to KEV on June 29.
read more →