All news with #zero day exploitation tag

🔒 CISA has ordered U.S. federal agencies to secure Windows endpoints against a zero-click authentication coercion flaw, tracked as CVE-2026-32202. Akamai reported the bug as a residual issue left after an incomplete February patch for an RCE, CVE-2026-21510, and says it enabled credential theft via auto-parsed LNK files. Microsoft flagged exploitation after reporting inquiries, and CISA added the issue to its KEV Catalog, directing agencies to patch by May 12 under BOD 22-01. Organizations are urged to apply vendor mitigations or discontinue affected products if fixes are unavailable.

🛡️ A Chinese national accused of ties to the Silk Typhoon group has been extradited to the United States from Italy to face charges alleging multiple cyber intrusions and theft of COVID‑19 vaccine research. U.S. prosecutors say 34-year-old Xu Zewei and co-defendant Zhang Yu carried out operations between February 2020 and June 2021 under direction of the MSS Shanghai State Security Bureau, exploiting zero-day vulnerabilities in Microsoft Exchange Server to deploy web shells for remote access. Xu, arrested in Milan in July 2025 while on vacation with his wife, has pleaded not guilty and maintains he is a case of mistaken identity; Zhang remains at large.

⚠️ CISA has flagged an information-disclosure vulnerability in Catalyst SD-WAN Manager (CVE-2026-20133) as actively exploited and gave federal agencies four days to secure affected systems. Cisco released patches in late February, stating the flaw is caused by insufficient file system access restrictions that can allow unauthenticated API access to sensitive OS information. CISA added the issue to its Known Exploited Vulnerabilities Catalog on April 20 and directed agencies to follow Emergency Directive 26-03 and Cisco hardening guidance or discontinue affected cloud services if mitigations are unavailable.

⚠️ CISA added eight vulnerabilities to the Known Exploited Vulnerabilities (KEV) Catalog after observed active exploitation. The additions include flaws affecting PaperCut NG/MF, JetBrains TeamCity, Kentico Xperience, Quest KACE SMA, Synacor Zimbra, and multiple issues in Cisco Catalyst SD‑WAN Manager. Under BOD 22‑01, Federal Civilian Executive Branch agencies must remediate cataloged CVEs by the prescribed due dates; CISA strongly urges all organizations to prioritize timely remediation as part of routine vulnerability management.

🔒 Huntress warns that threat actors are actively exploiting three recently disclosed Microsoft Defender vulnerabilities — codenamed BlueHammer, RedSun, and UnDefend — to gain elevated privileges and disrupt defenses. Microsoft addressed BlueHammer in this week's Patch Tuesday as CVE-2026-33825, but RedSun and UnDefend remain unpatched and have PoCs observed in the wild. Huntress reported weaponization beginning April 10 for BlueHammer and April 16 for RedSun and UnDefend, and said it isolated affected environments while investigating post-exploitation activity.

🔒 DarkSword and Coruna are two newly discovered, zero-click spyware families actively abused in the wild to compromise iPhones and iPads without user interaction. DarkSword targets iOS 18 with a six‑vulnerability chain and runs filelessly in RAM, while Coruna exploits older releases (iOS 13–17.2.1) via numerous WebKit flaws. Both harvest passwords, messages, photos, browser history and crypto‑wallet secrets; researchers report several thousand infections and advise immediate OS updates and mitigations.

🔓 Threat actors are actively using proof-of-concept exploit code for three recently disclosed Windows vulnerabilities to elevate privileges or disrupt Microsoft Defender. Researcher "Chaotic Eclipse" (aka "Nightmare-Eclipse") published PoCs for BlueHammer, RedSun, and UnDefend in protest over Microsoft’s handling of disclosure. Huntress Labs has observed exploitation in the wild, with BlueHammer seen since April 10, and Microsoft has patched only BlueHammer (CVE-2026-33825) so far while RedSun and UnDefend remain unaddressed.

⚠️ A proof-of-concept for a second Microsoft Defender zero-day, dubbed RedSun, was published by researcher 'Chaotic Eclipse', demonstrating a local privilege escalation that grants SYSTEM privileges on patched Windows 10, Windows 11, and supported Windows Server releases when Defender is enabled. The PoC exploits Defender's handling of cloud-tagged files via the Cloud Files API to overwrite system binaries and achieve code execution as SYSTEM. Security analyst Will Dormann of Tharros confirmed the exploit works; some antivirus products detect elements of the PoC due to an embedded EICAR test file. The researcher says the publication was a protest over interactions with the Microsoft Security Response Center.

🔒 Microsoft released its April Patch Tuesday update addressing an unusually large set of CVEs, including two zero-day flaws. CVE-2026-32201 is being actively exploited and is a SharePoint server spoofing vulnerability that can manipulate how information is presented to users. The second, CVE-2026-33825, is a publicly disclosed elevation-of-privilege bug in Microsoft Defender that could allow system-level access if chained with other exploits. Administrators are urged to prioritise these fixes and also review a high-risk IKEv2 remote code execution issue rated CVSS 9.8.

🔒 Microsoft released its April 2026 Patch Tuesday updates addressing 167 security flaws across Windows and related products, including a SharePoint Server zero-day (CVE-2026-32201) and a publicly disclosed Windows Defender privilege escalation dubbed BlueHammer. Google Chrome and Adobe issued emergency fixes for actively exploited zero-days. Administrators should prioritize patches for SharePoint, SQL Server, and Defender and restart browsers to ensure Chromium-based updates are applied.

🔒 Microsoft released its April 2026 Patch Tuesday addressing 165 vulnerabilities across Windows, Office, .NET and server components, including eight rated critical. Critical issues include a .NET DoS (CVE-2026-23666), Remote Desktop and Office use-after-free flaws that can lead to code execution (CVE-2026-32157, CVE-2026-32190), multiple Word local code-execution bugs (CVE-2026-33114, CVE-2026-33115), and an IKEv2 double-free enabling remote code execution (CVE-2026-33824). Talos notes SharePoint vulnerability CVE-2026-32201 is being exploited in the wild and has released Snort rules; administrators should prioritize exposed services and apply mitigations such as blocking UDP 500/4500 if IKE is unused.

🔒 Microsoft released its April 2026 Patch Tuesday addressing 167 vulnerabilities, including two zero-days and eight Critical flaws. The updates patch an actively exploited SharePoint Server spoofing bug (CVE-2026-32201) and a publicly disclosed Microsoft Defender elevation-of-privilege flaw (CVE-2026-33825) that can grant SYSTEM privileges. Multiple Microsoft Office RCEs exploitable via preview panes or malicious documents were fixed; administrators should prioritize installing these patches immediately.

⚠️ Microsoft’s April 2026 Patch Tuesday addresses 164 CVEs, including two zero-days and eight Critical vulnerabilities. The release focuses heavily on elevation-of-privilege flaws (57% of patches) and updates for Windows, Office and developer tools. Notable fixes include an exploited SharePoint spoofing zero-day (CVE-2026-32201), a disclosed Defender elevation-of-privilege issue (CVE-2026-33825), and several high‑risk RCEs; deploy patches promptly and apply recommended mitigations.

🔒 A critical vulnerability in the wolfSSL TLS/SSL library (tracked as CVE-2026-5194) permits improper verification of hash algorithms and sizes when validating ECDSA and other signatures. Researchers warn attackers can present forged certificates with undersized digests that vulnerable implementations will accept, enabling impersonation of servers, files, or connections. Discovered by Nicholas Carlini of Anthropic, the issue was fixed in wolfSSL 5.9.1 (April 8); administrators should review deployments and apply updates or vendor patches promptly.

🔒 Adobe released an emergency security update to fix a zero-day tracked as CVE-2026-34621, which has been exploited since at least December to bypass Acrobat/Reader sandbox protections. The flaw lets malicious PDFs invoke privileged JavaScript APIs (for example util.readFileIntoStream() and RSS.addFeed()) to read local files and exfiltrate data with no user interaction beyond opening the file. Affected versions of Acrobat DC, Acrobat Reader DC and Acrobat 2024 have fixes available; Adobe urges users to update via Help > Check for Updates or by downloading the installer.

⚠️ A critical pre-authentication remote code execution vulnerability in Marimo (tracked as CVE-2026-39987) allows unauthenticated attackers to obtain a full interactive shell by connecting to the exposed /terminal/ws endpoint. The flaw affects all Marimo versions before 0.23.0 and was exploited in the wild within 9 hours and 41 minutes of disclosure. Sysdig observed an attacker steal cloud credentials in under three minutes. Update to 0.23.0 or block public access and rotate any exposed keys.

🔍 Researchers at Horizon3.ai used Anthropic’s Claude to rapidly identify a critical remote code execution vulnerability in Apache ActiveMQ Classic that persisted for roughly 13 years. The flaw (CVE-2026-34197) allows misuse of the Jolokia management API—for example via addNetworkConnector—to load a malicious remote Spring XML and execute arbitrary Java/system commands. While the issue requires authentication in principle, default credentials remain common and a separate vulnerability in some 6.x builds can expose Jolokia without auth, turning it into an unauthenticated RCE. Apache has released patches in 5.19.4 and 6.2.3; administrators should upgrade and restrict access to management interfaces immediately.

⚠️ A critical pre-auth remote code execution flaw, CVE-2026-39987, in Marimo allowed unauthenticated attackers to obtain a full PTY shell via the /terminal/ws WebSocket endpoint. The issue affected all versions up to and including 0.20.4 and was addressed in Marimo 0.23.0. Security researchers at Sysdig observed exploitation within 9 hours and 41 minutes of public disclosure, with rapid credential-theft activity on a honeypot. Operators were able to explore the file system and access .env and SSH key files without requiring proof-of-concept code.

⚠️ Security researchers report a previously unknown zero-day in Adobe Reader is being actively exploited via maliciously crafted PDF documents. The exploit, linked to samples named Invoice540.pdf, has been observed since at least December 2025 and executes obfuscated JavaScript to harvest data and retrieve additional payloads. Analysts warn the vulnerability abuses privileged Acrobat APIs, works on the latest Adobe Reader build, and may enable follow-on RCE or sandbox escape.

⚠ Haifei Li has identified a zero-day vulnerability in Adobe Reader that has been exploited since at least December via maliciously crafted PDFs. The attack uses a highly sophisticated, fingerprinting-style exploit that can harvest local data using Acrobat APIs and may enable follow-on RCE or sandbox escape without user interaction beyond opening a file. Li urges users to avoid PDFs from untrusted sources and to monitor network traffic for the Adobe Synchronizer User-Agent string as a temporary mitigation.