< ciso
brief />
Tag Banner

All news with #zero day exploitation tag

446 articles · page 2 of 23

Nissan reports employee data breach after PeopleSoft zero-day

🔒 Nissan has disclosed a data breach affecting current and former employees after threat actors exploited an Oracle PeopleSoft vulnerability tied to a wider campaign. The automaker says the incident may have exposed contact, financial, tax, and identification details and impacts employees in the US, Canada, Mexico, and Brazil. Nissan has engaged external cybersecurity experts, restricted certain payroll functions, and will offer monitoring services to affected individuals while working with Oracle on remediation.
read more →

NAIC Confirms PeopleSoft Breach Exposes Credit Data

🔒 The US National Association of Insurance Commissioners (NAIC) disclosed a security breach detected on June 11 and revealed on June 17 that an unauthorized actor exploited a zero-day in Oracle PeopleSoft to access parts of its environment. The attacker obtained and published some statutory financial reporting and credit rating agency data, and possibly routine technical files. NAIC says personal, payment, and several regulatory system records were not compromised and operations are largely restored.
read more →

Critical libssh2 Integer Overflow POC Released

🛡️ A public proof-of-concept is available for CVE-2026-55200, a critical libssh2 flaw that allows a malicious SSH server to trigger memory corruption on connecting clients, potentially enabling code execution without credentials or user interaction. The bug affects all releases up to 1.11.1 and scores 9.2 (CVSS 4.0). It stems from an unbounded packet_length parsed during the SSH handshake, producing a 32-bit wrap and an out-of-bounds heap write. A patch was merged on June 12 and the CVE published June 17; distributions are backporting fixes while a tagged release is prepared.
read more →

Linux pedit COW exploit lets local users gain root

⚠️ A critical memory-corruption bug in the Linux traffic-control subsystem (CVE-2026-46331, “pedit COW”) enables a local unprivileged user to gain root by corrupting shared page-cache memory. The flaw allows modification of a cached setuid binary image in memory without touching the on-disk file; a public exploit appeared within a day of CVE assignment. The exploit requires the act_pedit module be loadable and unprivileged user namespaces enabled; affected vendors have issued patches and mitigations.
read more →

Threat Actor Exploited Cisco SD‑WAN Zero‑Day

🔒 A Google (Mandiant) report warns that a threat actor exploited a severe Cisco SD‑WAN vulnerability (CVE-2026-20245) at least two months before disclosure. The flaw, a high-severity (CVSS 7.8) privilege escalation in the CLI of Cisco Catalyst SD-WAN Controller, allowed authenticated local attackers to upload crafted files and execute commands as root. Cisco disclosed the issue on June 4 and began releasing fixes on June 10, while Mandiant detailed related unauthorized peering and credential-theft activity stretching back to late 2025.
read more →

Unpatchable usbliter8 exploit breaks SecureROM

🔒 Security researchers at Paradigm Shift published a working exploit called usbliter8 that achieves arbitrary code execution inside the SecureROM of Apple A12 and A13 SoCs. The flaw is a hardware bug in the Synopsys DWC2 USB controller and cannot be fixed by software updates, making affected devices permanently vulnerable. Exploitation requires physical possession, DFU mode, and a dedicated microcontroller; the public proof-of-concept and write-up were released on June 18, 2026 following coordinated disclosure.
read more →

CISA warns: Patch critical Splunk Enterprise flaw by Sunday

🔒 The U.S. CISA has ordered federal agencies to patch a critical Splunk Enterprise vulnerability (CVE-2026-20253) by Sunday after evidence of active exploitation. The flaw impacts Splunk Enterprise versions 10.2.0–10.2.3 and 10.0.0–10.0.6 and allows unauthenticated attackers to create or truncate arbitrary files via a PostgreSQL sidecar service endpoint. Splunk released patches and mitigation guidance, and Shadowserver has identified over 1,400 Internet-exposed Splunk instances that may be at risk.
read more →

Microsoft Confirms RoguePlanet Defender Zero-Day

🛡️ Microsoft disclosed it is preparing a patch for a Defender zero-day tracked as RoguePlanet, now identified as CVE-2026-50656 with a CVSS score of 7.8. The company classifies the issue as a privilege escalation in the Microsoft Malware Protection Engine and says it is working on a quality security update. The exploit was publicly released by researcher Chaotic Eclipse (aka Nightmare-Eclipse), who described it as a race condition that can yield SYSTEM-level shells and may work irrespective of real-time protection settings.
read more →

Microsoft developing patch for Defender RoguePlanet zero-day

🔒 Microsoft is investigating and preparing a security update for a Microsoft Defender elevation-of-privilege vulnerability publicly dubbed RoguePlanet. The flaw, now tracked as CVE-2026-50656, was disclosed with a proof-of-concept last week and reportedly allows spawning SYSTEM-level command prompts via a Defender race condition on fully patched Windows 10 and 11 devices. Microsoft confirmed it is working on a high-quality security update and will publish details in the CVE entry when available.
read more →

CISA flags critical JCE Joomla flaw exploited

🔒 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a maximum-severity flaw in Widget Factory's Joomla Content Editor (JCE) to its Known Exploited Vulnerabilities catalog, citing active exploitation. Tracked as CVE-2026-48907 (CVSS 10.0), the improper access control bug allows unauthenticated creation of editor profiles and potential PHP code upload and execution. The flaw affects JCE versions 1.0.0 through 2.9.99.4 and was patched in 2.9.99.5 on June 3, 2026; FCEB agencies must apply fixes by June 19, 2026.
read more →

CISA warns: actively exploited LiteSpeed cPanel flaw

⚠️ CISA has ordered federal agencies to secure servers against an actively exploited LiteSpeed cPanel user-end plugin flaw (CVE-2026-48172 / CVE-2026-54420) that can allow privilege escalation to root on shared hosting with CloudLinux/CageFS. The vulnerability affects plugin versions prior to 2.4.8 and stems from a UNIX symlink following weakness; LiteSpeed released urgent updates and provided a command to check for compromises. Agencies must comply with BOD 26-04 and remediate systems within three days per the Known Exploited Vulnerabilities Catalog.
read more →

Cisco fixes SD‑WAN Manager zero‑day exploited to root

🛡️ Cisco has released patches for a zero-day in Catalyst SD-WAN Manager (formerly SD-WAN vManage), tracked as CVE-2026-20262, which was exploited to escalate to root privileges. The flaw affects all deployment types and results from insufficient validation of user-supplied file uploads, allowing authenticated low-privilege attackers to create or overwrite files via a crafted HTTP request. Cisco PSIRT confirmed active exploitation, provided IOCs, and strongly urged customers to upgrade to fixed releases.
read more →

Weekly Cyber Recap: Active Chrome 0‑Day Patch

⚠️ Google issued fixes for 74 Chrome flaws, including an actively exploited V8 out-of-bounds memory access (CVE-2026-11645). This week's recap highlights exploited enterprise bugs like Oracle PeopleSoft and Check Point VPN, large-scale supply-chain and package abuse in Arch's AUR, and the takedown of a major phishing-as-a-service operation. Practical guidance and trending CVEs round out the update.
read more →

CISA orders three-day patch for Ivanti Sentry flaw

🔒 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to patch an actively exploited Ivanti Sentry flaw (CVE-2026-10520) within three days under Binding Operational Directive BOD 26-04. The vulnerability, an OS command injection in Ivanti's security gateway appliance, has been confirmed exploited and added to CISA's Known Exploited Vulnerabilities Catalog. Shadowserver reports multiple Sentry gateways have already been backdoored and warns unpatched systems are likely compromised.
read more →

ShinyHunters exploited Oracle PeopleSoft zero‑day

🔒 The ShinyHunters extortion group exploited an unpatched Oracle PeopleSoft remote code execution zero‑day (CVE-2026-35273) to compromise enterprise servers, steal data, and extort victims. Mandiant links the activity to UNC6240 and observed attacks from May 27 to June 9, before Oracle published its advisory on June 10. The flaw requires no authentication and exposes PeopleTools 8.61 and 8.62 installations with externally reachable Environment Management Hub endpoints. Universities were heavily targeted; mitigations focus on disabling or blocking PSEMHUB and hunting for post‑exploit indicators.
read more →

Oracle mitigates PeopleSoft zero-day used in data theft

🔔 Oracle warns of a critical PeopleSoft Suite zero-day, CVE-2026-35273, enabling unauthenticated remote code execution and carrying a CVSS 9.8 score. The flaw impacts PeopleSoft PeopleTools versions 8.61 and 8.62; Oracle released emergency mitigations and plans a patch. Threat actor ShinyHunters is linked to active exploitation and large-scale data theft across hundreds of instances. Administrators are urged to review logs and block identified IPs to assess compromise.
read more →

AI-Driven Vulnerabilities and Security Fundamentals

🔍 Talos contrasts personal tech nostalgia with a sharp warning: AI-driven vulnerability discovery now outpaces human patching. The blog highlights how frontier models can autonomously find and exploit zero-days in minutes, collapsing the traditional vulnerability lifecycle. It urges organizations to move beyond patch-centric defenses and adopt a three-stage fallback model emphasizing prevention, detection, and resilience through controls like MFA, CIS benchmarks, segmentation, and behavioral EDR/XDR.
read more →

ShinyHunters Target Oracle PeopleSoft Instances

🛡️ ShinyHunters are actively stealing data from Oracle PeopleSoft instances, claiming breaches across 300 instances at over 100 organizations. The actor says they used a mix of old and zero-day vulnerabilities in a "gadget chain," with many victims in the education sector. Exposed tooling, scripts, and IOCs were found in online directories, and impacted organizations are urged to check logs and begin incident response immediately.
read more →

Microsoft patches YellowKey, GreenPlasma and MiniPlasma zero-days

🔒 Microsoft released June 2026 updates fixing three zero-day vulnerabilities disclosed by a researcher known as "Nightmare Eclipse." The flaws—GreenPlasma and MiniPlasma (local privilege escalation) and YellowKey (WinRE backdoor)—allow attackers to escalate to SYSTEM or bypass BitLocker on affected Windows systems. Microsoft provided mitigations for YellowKey and criticized the public disclosure of proof-of-concepts.
read more →

Proof-of-Concept for Defender RoguePlanet Zero-Day

🛡️ An anonymous researcher known as Chaotic Eclipse published a proof-of-concept for a Microsoft Defender zero-day dubbed RoguePlanet, a race-condition exploit that can yield SYSTEM-level shells on Windows 10 and 11 with June 2026 patches. The PoC is inconsistent across systems and currently fails on Windows Server due to ISO mounting restrictions. The disclosure follows prior Defender flaws from the same researcher and a public conflict with Microsoft over coordinated disclosure and account revocation.
read more →