Posts
Cisco Catalyst SD-WAN CVE-2026-20182: Second vdaemon Auth Bypass Lands in CISA KEV
Cisco patched a CVSS 10.0 auth bypass in Catalyst SD-WAN Controller's vdaemon service. UAT-8616 is already exploiting it. CISA added it to KEV May 15 with a May 17 deadline.
Exchange Server CVE-2026-42897: Unpatched OWA XSS Zero-Day Exploited via Crafted Email
Microsoft confirms in-the-wild exploitation of an unpatched XSS spoofing flaw in on-prem Exchange Server 2016, 2019, and Subscription Edition. Mitigation is automatic only if EEMS is enabled.
NGINX Rift: 18-Year-Old Rewrite Module Heap Overflow Hits Unauthenticated RCE With Public PoC
CVE-2026-42945 is a CVSS 9.2 heap buffer overflow in ngx_http_rewrite_module that has lived in NGINX since 2008. A working unauthenticated RCE PoC is public; reachability hinges on a specific rewrite-directive pattern most prod configs actually contain.
Outlook CVE-2026-40361: Zero-Click Word RCE Resurrects BadWinmail's Enterprise-Killer Class
A use-after-free in a shared Office DLL lets a malicious message fire RCE through the Outlook Reading Pane and Explorer Preview Pane. Microsoft rates exploitation 'more likely.'
Every Windows Endpoint is a Target: CVE-2026-41096 Heap Overflow in DNS Client Enables Remote Code Execution
CVE-2026-41096 is a CVSS 9.8 heap overflow in the Windows DNS Client. A single malicious DNS response can yield code execution on any Windows host β no auth, no user click, no document opened. The blast radius is every Windows endpoint that resolves a name.
Windows Netlogon CVE-2026-41089: Unauthenticated RCE on Every Domain Controller
May Patch Tuesday's marquee bug is a stack-based buffer overflow in MS-NRPC that hands SYSTEM on any domain controller reachable over the network. Patch DCs first, before anything else.
RubyGems Disables New Signups After Hundreds of Malicious Packages Target Registry Staff
RubyGems froze new account registration after an attacker uploaded hundreds of malicious gems on May 11-12 specifically targeting RubyGems engineers, with XSS payloads and credential-stealing exploits embedded in the packages.
Mini Shai-Hulud Wave 4: TanStack, Mistral AI, UiPath Hit by First-Ever SLSA-Attested Malicious npm Packages (CVE-2026-45321)
TeamPCP's fourth Mini Shai-Hulud wave compromised 42 TanStack packages, the Mistral AI SDK, UiPath, OpenSearch, and Guardrails AI by stealing OIDC tokens out of a GitHub Actions runner's process memory β and shipped malicious versions with valid SLSA Build Level 3 provenance attestations.
Apache CloudStack CVE-2026-25077: Malicious Template Lands Code Execution on KVM Hosts
Apache CloudStack 4.20.3.0 and 4.22.0.1 ship fixes for seven flaws β the headliner lets any account user execute arbitrary code on KVM hypervisor hosts via a malicious template name.
Ivanti EPMM CVE-2026-6973 Hits CISA KEV as Federal Patch Deadline Passes
Ivanti confirms in-the-wild exploitation of CVE-2026-6973, an authenticated-admin RCE in Endpoint Manager Mobile. CISA gave federal agencies until May 10 to patch β that window has now closed.
MuddyWater Wears Chaos Ransomware as a Disguise β Teams Screen-Sharing Funnels Iranian Espionage Through Fake Extortion
Rapid7 attributes a Chaos-branded ransomware intrusion to Iran's MuddyWater. No files were ever encrypted β the ransom note was cover for Stagecomp/Darkcomp espionage delivered via Microsoft Teams screen-share.
cPanel Ships Second Emergency TSR in 10 Days: CVE-2026-29201, 29202, 29203 Patch RCE, Arbitrary File Read, DoS
cPanel released its second emergency Technical Security Release in 10 days on May 8, patching three new flaws β including a CVSS 8.8 Perl injection in create_user and a chmod-based privilege escalation β barely a week after the CVE-2026-41940 authentication-bypass meltdown.
Dirty Frag: Chained Linux Kernel Bugs Hand Out Root, One Half Still Unpatched
Dirty Frag chains an xfrm-ESP page-cache write (CVE-2026-43284) with an unpatched RxRPC page-cache write (CVE-2026-43500) for reliable root on most Linux distros. Embargo blew up early β public PoC is out, RxRPC fix is not.
Sentry CVE-2026-42354: Incomplete Fix Reopens SAML SSO Account Takeover
Sentry self-hosted is vulnerable again to cross-organization SAML account takeover, three months after CVE-2026-27197 was supposedly patched. Upgrade to 26.4.1.
Palo Alto PAN-OS CVE-2026-0300: Unauthenticated Root RCE on Captive Portal Under Active Exploitation
Palo Alto Networks PAN-OS User-ID Authentication Portal has an unauthenticated buffer overflow yielding root RCE on PA-Series and VM-Series firewalls. CVSS 9.3, in CISA KEV, federal patch deadline May 9, 2026.
QLNX: A Stealthy Linux RAT Built To Rob Developer Workstations And Seed The Next Supply Chain Attack
Trend Micro disclosed QLNX, a previously undocumented Linux RAT engineered to harvest developer and CI credentials so operators can trojanize npm, PyPI, Docker Hub, and Kubernetes pipelines downstream.
Palo Alto PAN-OS CVE-2026-0300: Unauth Root RCE in Captive Portal Exploited as Zero-Day, CISA KEV Deadline May 9
Palo Alto PAN-OS captive portal buffer overflow (CVSS 9.3) under active exploitation gives unauthenticated attackers root on PA- and VM-Series firewalls. Patches don't ship until May 13 β mitigations only.
DAEMON Tools Supply Chain Compromise: Signed Installers Backdoored Since April 8, Chinese Actor Suspected
Trojanized DAEMON Tools Lite installers signed with the legitimate vendor certificate distributed a multi-protocol backdoor for nearly a month. Kaspersky telemetry shows infection attempts in 100+ countries, with a second-stage implant on government and scientific targets in Russia, Belarus, and Thailand.
Apache MINA Patches CVE-2026-42778 and CVE-2026-42779: Two Incomplete Fixes Land Back-to-Back as RCE
MINA 2.2.7 and 2.1.12 ship critical patches for two deserialization bypasses that each thread the needle through a previous incomplete fix β the third and fourth iterations of the same root bug stretching back to 2024.
Apache httpd CVE-2026-23918: HTTP/2 Double-Free Puts Millions of Servers at RCE Risk
Critical double-free in mod_http2's early-reset path lets remote attackers crash or take over Apache 2.4.66. Patch shipped May 4 in 2.4.67.
ShinyHunters Hits Instructure Again: 3.65TB, 275M Canvas Users, May 6 Ransom Deadline
ShinyHunters claims 3.65TB stolen from Instructure's Canvas platform β 275M users across ~9,000 institutions. Second hit in eight months. Ransom timer expires tomorrow.
MOVEit Automation Hit With CVSS 9.8 Auth Bypass: CVE-2026-4670 Grants Admin Without Credentials
Progress patches a 9.8-severity authentication bypass plus a 7.7 privilege escalation in MOVEit Automation; Airbus reported both, no in-the-wild exploitation yet but the MFT family's track record demands immediate patching.
Trellix Confirms Source Code Repository Breach: Security Vendor's Internal Code Accessed by Unknown Attackers
Trellix confirms unauthorized access to a portion of its internal source code repository, with forensic experts and law enforcement engaged. The blast radius for a security vendor going public with a code breach is its customer base β every defender running its EDR agents.
DEEP#DOOR: Python Backdoor Hides C2 Behind bore.pub Tunneling Service to Steal Cloud and Browser Credentials
Securonix details DEEP#DOOR, a Python backdoor that uses the public bore.pub TCP tunneling service for C2, disables Defender/SmartScreen via batch loader, and harvests browser-stored cloud credentials from compromised hosts.
Exim 4.99.2 Patches Four Mail Server Flaws: Heap Corruption via JSON Headers, DNS Poisoning, and SPA Auth Bugs
Exim 4.99.2 fixes four memory-safety bugs (CVE-2026-40684 through 40687) in the world's most-deployed MTA, including a JSON heap-write reachable from untrusted headers.
Trellix Confirms Source Code Repository Breach as XDR Vendor Becomes the Target
Trellix has confirmed unauthorized access to a portion of its internal source code repository, putting one of the industry's largest XDR vendors in the unenviable position of being the breached defender.
SimpleHelp Trio Hits CISA KEV as DragonForce Ransomware Tears Through MSP Fleets
CISA dragged three SimpleHelp RMM bugs into the KEV catalog with a May 8 federal deadline after DragonForce operators chained them to push ransomware across MSP customer fleets in a single shot.
Windows Shell CVE-2026-32202: Incomplete APT28 Patch Reopens Zero-Click NTLM Coercion
Microsoft confirms in-the-wild exploitation of CVE-2026-32202, a zero-click Windows Shell flaw born from an incomplete patch of an APT28 zero-day. Browsing a folder with a malicious LNK leaks Net-NTLMv2 hashes.
Mini Shai-Hulud: SAP, Intercom, and PyTorch Lightning Hit by Bun-Based Stealer in 48-Hour TeamPCP Cascade
TeamPCP's Mini Shai-Hulud campaign poisoned SAP CAP, Intercom, and PyTorch Lightning packages on April 29-30 with a Bun-runtime credential stealer that scrapes secrets directly from CI runner memory.
Copy Fail (CVE-2026-31431): A 732-Byte Python Script Roots Every Major Linux Distro Since 2017
A nine-year-old logic bug in the kernel's algif_aead crypto interface lets an unprivileged user plant four bytes anywhere in the page cache β including inside a setuid binary's cached pages. Root in seconds, no on-disk artifacts, breaks containers.
LiteLLM CVE-2026-42208: Pre-Auth SQLi in the AI Gateway, Exploited 36 Hours After Disclosure
A pre-authentication SQL injection in LiteLLM's auth path (CVSS 9.3) lets an unauthenticated attacker read and modify the proxy database β including upstream OpenAI and Anthropic API keys. First exploitation hit 36 hours after the advisory.
cPanel & WHM CVE-2026-41940: Critical Auth Bypass Triggers Global Hosting Lockdown
An unauthenticated CRLF-injection auth bypass in cPanel & WHM (CVSS 9.8) sent every major hosting provider into emergency port-blocking mode within hours of disclosure. All supported release tracks are affected.
CVE-2026-3854: A Single Git Push Owned GitHub.com β and 88% of Enterprise Servers Were Still Vulnerable at Disclosure
Wiz disclosed a CVSS 8.7 RCE in GitHub's internal git push pipeline. Any authenticated user could execute arbitrary commands on backend servers with one git push. 88% of Enterprise Server instances were still unpatched on disclosure day.
CrowdStrike LogScale CVE-2026-40050: Unauthenticated Path Traversal Reads Arbitrary Server Files
A critical 9.8 CVSS path traversal in CrowdStrike's LogScale lets unauthenticated attackers read arbitrary files from self-hosted clusters. Patch to 1.235.1, 1.234.1, 1.233.1, or 1.228.2 LTS.
Entra Agent ID Administrator Role Could Hijack Any Service Principal β CVE-2026-35431
A built-in Entra ID role meant to manage AI agents could be used to take ownership of any service principal in the tenant β including Global Administrator-equivalent ones β and authenticate as it. Microsoft patched cloud-side on April 9; Silverfort published technical details April 27.
CrowdStrike LogScale CVE-2026-40050: Unauthenticated Path Traversal Reads Arbitrary Files (CVSS 9.8)
A critical unauthenticated path-traversal flaw (CVSS 9.8) in CrowdStrike LogScale Self-Hosted lets remote attackers read arbitrary server files via an exposed cluster API endpoint. SaaS already mitigated; on-prem operators must patch immediately.
Itron Discloses Internal Network Breach: Smart Meter and Grid Software Vendor Reports Unauthorized System Access
Itron, a major U.S. supplier of smart metering and grid management software for electricity, water, and gas utilities, disclosed in an SEC 8-K filing that an unauthorized third party gained access to its internal IT network on April 13, 2026.
PhantomRPC: Five Endpoint-Spoofing Paths to SYSTEM on Every Windows Build, No Patch Coming
Kaspersky disclosed PhantomRPC at Black Hat Asia 2026 β an architectural flaw in rpcrt4.dll that lets a low-priv process register a rogue RPC endpoint and hijack SYSTEM-level callers. Microsoft declined to patch.
LMDeploy CVE-2026-33626: SSRF in LLM Inference Server Exploited 12 Hours After Disclosure, Honeypot Sees AWS IMDS Theft
A 7.5-severity SSRF in Shanghai AI Lab's LMDeploy LLM serving toolkit was hit in the wild within 12h31m of the GitHub advisory. Sysdig's honeypot caught an attacker using the vision-language image loader to scrape AWS instance metadata, then pivot to internal Redis and MySQL.
Clerk CVE-2026-41248: createRouteMatcher Bypass Skips Middleware Gating Across Next.js, Nuxt, and Astro
Crafted requests slip past createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro, bypassing middleware-level route protection. Patches landed across three major version branches per SDK on April 24.
ASP.NET Core CVE-2026-40372: Signature-Bypass in DataProtection Forges Auth Cookies, Patching Alone Doesn't Close the Door
Microsoft's out-of-band patch fixes a CVSS 9.1 signature-verification bug in ASP.NET Core DataProtection that lets unauthenticated attackers forge cookies and decrypt protected payloads. Tokens minted during the exposure window stay valid after upgrade β you have to rotate the key ring.
@bitwarden/cli 2026.4.0 Backdoored in 93-Minute npm Window β 'Shai-Hulud: The Third Coming' Worm Hijacks Developer Credentials
A trojanized @bitwarden/[email protected] sat live on npm for 93 minutes on April 22, exfiltrating GitHub/npm tokens, SSH keys, cloud creds, and crypto wallet keys β and self-propagating through victims' own npm packages. The pivot came from the ongoing Checkmarx/TeamPCP campaign.
LMDeploy SSRF (CVE-2026-33626) Weaponized in 12 Hours to Loot GPU IAM Credentials
A Server-Side Request Forgery in LMDeploy's vision-language image loader turned LLM inference nodes into SSRF primitives for cloud metadata theft β exploited 12 hours and 31 minutes after disclosure.
Kyber Ransomware: First Production PQC Deployment β Rust Windows Variant, ESXi Variant, Same Affiliate
Rapid7 recovered two Kyber variants from a single incident: a Rust-based Windows encryptor that actually implements Kyber1024 + X25519 + AES-CTR, and an ESXi encryptor whose 'post-quantum' claim is just ChaCha8 under RSA-4096. Same campaign ID, same Tor infrastructure, same affiliate.
CanisterSprawl: Self-Propagating npm Worm Hits pgserve, Spreads to PyPI, Exfils to ICP Canister
Malicious pgserve, automagik, xinference, and kube-health releases drop a 1,143-line postinstall stealer that re-publishes itself using stolen npm tokens and exfiltrates to a decentralized ICP canister.
BRIDGE:BREAK β 22 Flaws in Lantronix and Silex Serial-to-IP Converters, ~20,000 Devices Exposed
Forescout's Vedere Labs disclosed 22 CVEs in Lantronix EDS3000PS/EDS5000 and Silex SD330-AC serial-to-IP converters, including unauthenticated RCE, hard-coded keys, and null admin passwords. Roughly 20,000 devices sit directly on the public internet.
Spinnaker Dual 10.0s: Echo SpEL and Clouddriver gitrepo RCE Gut Netflix's CD Platform (CVE-2026-32604, CVE-2026-32613)
Two critical (CVSS 10.0) RCE bugs in Spinnaker, disclosed April 21, 2026 with working PoCs: SpEL expression injection in Echo and shell injection in Clouddriver gitrepo artifacts. Any authenticated user pops the CD plane and walks out with every stored cloud credential.
Quest KACE SMA CVE-2025-32975: CVSS 10.0 SSO Auth Bypass Added to CISA KEV as Admin Takeover Campaign Continues
CISA added CVE-2025-32975 β a CVSS 10.0 SSO authentication bypass in Quest KACE Systems Management Appliance β to the KEV catalog on April 20, 2026. Federal agencies must patch by May 4. Exploitation has been in progress since March.
Cisco Catalyst SD-WAN Manager: Three CVEs Land on CISA KEV With April 28 Federal Deadline
CISA added CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133 in Cisco Catalyst SD-WAN Manager (vManage) to the KEV catalog on April 20, 2026. Two of the three were confirmed exploited in the wild by Cisco PSIRT in March; together they let an attacker move from low-privilege API access to full vManage takeover.
The Gentlemen RaaS: SystemBC Proxy Botnet Reveals 1,570 Corporate Victims
A DFIR engagement against The Gentlemen RaaS exposed a SystemBC C2 server proxying over 1,570 likely corporate victims, with affiliates leaning on a 14,700-device FortiGate inventory for initial access.
Vercel Breach: Context.ai OAuth Pivot Exposes Customer Environment Variables
A Lumma Stealer infection at Context.ai gave attackers an OAuth path into a Vercel employee's Google Workspace, then into customer environment variables. ShinyHunters is now selling the data for $2M.
ShinyHunters Dumps 3M Cisco Salesforce Records as UNC6040 Vishing Campaign Expands
ShinyHunters leaks 3M+ Cisco Salesforce CRM records tied to the UNC6040 vishing/OAuth-abuse campaign, exposing federal procurement data, AWS resource references, and GitHub repo names.
ZionSiphon: OT Sabotage Malware Targeting Israeli Water and Desalination Plants
Darktrace dissects ZionSiphon, a politically motivated OT malware built to tamper with chlorine and pressure in Israeli water systems. Broken by bad crypto, but the blueprint is real.
Payouts King Runs Hidden QEMU VMs to Bypass EDR β STAC4713 and CitrixBleed 2 Campaigns
Sophos tracks two Payouts King campaigns running Alpine Linux inside QEMU on Windows hosts to tunnel reverse SSH and evade endpoint security. STAC3725 chains in CitrixBleed 2 (CVE-2025-5777) against NetScaler.
RedSun and UnDefend: Two More Defender Zero-Days Dropped, All Three Now Exploited in the Wild
The same disgruntled researcher who dropped BlueHammer has now released RedSun and UnDefend. Huntress confirms all three Windows Defender zero-days are now being weaponized in hands-on-keyboard intrusions. Two remain unpatched.
Operation PowerOFF: 21-Country Takedown Seizes 53 DDoS-for-Hire Domains, Exposes 3 Million User Accounts
Europol-coordinated action across 21 countries seizes 53 booter/stresser domains, makes four arrests in Poland, and captures databases containing over 3 million DDoS-for-hire user accounts.
Kyverno apiCall Service Helper Leaks ServiceAccount Token to Attacker-Controlled Endpoints (CVE-2026-40868)
A high-severity flaw in Kyverno's apiCall servicecall helper implicitly attaches the controller's ServiceAccount bearer token to policy-controlled outbound URLs, letting any ClusterPolicy author exfiltrate the token and impersonate the Kyverno controller.
CISA Adds Apache ActiveMQ CVE-2026-34197 to KEV as 13-Year-Old Jolokia RCE Sees Active Exploitation
CISA added CVE-2026-34197 to the KEV catalog today with an April 30 patch deadline. The 13-year-old Jolokia MBean flaw yields RCE on the broker JVM and is unauthenticated on ActiveMQ 6.0.0β6.1.1 when chained with CVE-2024-32114.
Two Critical FortiSandbox Flaws Let Unauthenticated Attackers Execute Commands and Bypass Auth
Fortinet discloses CVE-2026-39808 and CVE-2026-39813 β two CVSS 9.1 flaws in FortiSandbox allowing unauthenticated command execution and authentication bypass via crafted HTTP requests.
Ransomware Hits ChipSoft, the EHR Vendor Behind 80% of Dutch Hospitals
A ransomware attack on Dutch EHR vendor ChipSoft has disrupted hospital systems nationwide and may have exposed millions of patient records.
CVE-2026-21643: Pre-Auth SQL Injection in FortiClient EMS 7.4.4 Under Active Exploitation β CISA Deadline Tomorrow
Critical pre-authentication SQL injection in Fortinet FortiClient EMS 7.4.4 is being actively exploited. CISA KEV remediation deadline is April 16, 2026.
Composer Command Injection (CVE-2026-40261, CVE-2026-40176): Any Malicious Repository Can Execute Code on Your Build Machines
Two high-severity command injection flaws in PHP's Composer package manager allow arbitrary command execution via malicious repository metadata β no Perforce installation required for the worst one.
Microsoft April 2026 Patch Tuesday Fixes 167 Flaws Including Actively Exploited SharePoint Zero-Day
Microsoft's second-largest Patch Tuesday ever addresses 167 vulnerabilities, including an actively exploited SharePoint XSS flaw and a critical CVSS 9.8 Windows IKE remote code execution bug.
CVE-2026-31414: Linux Kernel Netfilter Conntrack Flaw Enables Container Escape Privilege Escalation
A use-after-free in Linux kernel netfilter connection tracking allows local privilege escalation from container workloads β patch your nodes now.
Red Hat OpenShift AI Dashboard Leaks Kubernetes Service Account Tokens (CVE-2026-5483)
A high-severity flaw in Red Hat OpenShift AI's odh-dashboard exposes Kubernetes Service Account tokens via a NodeJS endpoint, enabling unauthorized cluster access.
Anubis Ransomware Gang Claims 2TB Exfiltration from Signature Healthcare as Brockton Hospital Diverts Ambulances
Anubis RaaS group claims theft of 2TB of patient data from Signature Healthcare while Brockton Hospital diverts ambulances, cancels chemo, and operates on paper charts a week after the attack.
Marimo CVE-2026-39987: Pre-Auth RCE Exploited Within 10 Hours of Disclosure
A missing authentication check on Marimo's terminal WebSocket endpoint (CVE-2026-39987, CVSS 9.3) gave attackers a root shell with no credentials required β and they were actively exploiting it less than 10 hours after the advisory dropped.
Adobe Acrobat Reader Zero-Day CVE-2026-34621: Prototype Pollution RCE Exploited Since December
Adobe patches APSB26-43 after confirming CVE-2026-34621, a CVSS 9.6 prototype pollution flaw in Acrobat Reader actively exploited via malicious PDFs since at least December 2025.
CPUID Website Compromised to Deliver STX RAT via CPU-Z and HWMonitor Downloads
Attackers compromised CPUID's download infrastructure for ~19 hours, replacing CPU-Z and HWMonitor installers with trojanized builds that sideload STX RAT via a malicious CRYPTBASE.dll.
Smart Slider 3 Pro Update Infrastructure Compromised β Backdoored Build Pushed to 800K+ WordPress Sites
Attackers compromised Nextend's update servers to distribute a weaponized Smart Slider 3 Pro build containing a multi-layered RAT with credential exfiltration and persistent backdoors.
GPUBreach: GDDR6 Rowhammer Attack Achieves Root Shell, Bypasses IOMMU
University of Toronto researchers demonstrate full CPU privilege escalation from an unprivileged CUDA kernel via GDDR6 bit-flips, bypassing IOMMU β no patch exists yet.
Project Glasswing: Anthropic's Claude Mythos AI Autonomously Found Thousands of Zero-Days in Every Major OS and Browser
Anthropic's Claude Mythos Preview autonomously discovered thousands of unpatched zero-days across FreeBSD, Linux, OpenBSD, FFmpeg, and every major browser β including a sandbox escape that emailed a researcher.
Chrome 147 Patches 60 Security Flaws Including Two Critical WebML RCE Bugs
Google ships Chrome 147.0.7727.55 with fixes for 60 vulnerabilitiesβtwo critical heap buffer overflow and integer overflow flaws in the WebML component enable remote code execution via crafted HTML pages.
CISA AA26-097A: CyberAv3ngers Exploit Rockwell PLCs Across US Water, Energy, and Government Systems
Six US agencies issue joint advisory after Iranian-affiliated CyberAv3ngers compromise Rockwell Allen-Bradley PLCs in water, energy, and government sectors, manipulating SCADA displays and control logic.
CVE-2026-39860: Nix Package Manager Symlink Bug Gives Any User Root on Multi-User Installs
A critical symlink-following flaw in the Nix daemon lets unprivileged users overwrite arbitrary files as root during fixed-output derivation builds.
CVE-2026-32922: OpenClaw Privilege Escalation Lets Any Paired Device Achieve Full RCE
A missing scope validation in OpenClaw's device.token.rotate endpoint lets any device with operator.pairing scope mint admin tokens and execute arbitrary code on connected nodes.
CISA Adds Ivanti EPMM Zero-Days to KEV as Mass Exploitation Ramps Up
CISA adds CVE-2026-1340 to the Known Exploited Vulnerabilities catalog as attackers chain two Ivanti EPMM zero-days for unauthenticated RCE against mobile device management infrastructure.
North Korea's Contagious Interview Campaign Hits 1,700 Malicious Packages Across Five Ecosystems
DPRK-linked Contagious Interview operation now spans npm, PyPI, Go Modules, crates.io, and Packagist with 1,700+ poisoned packages delivering BeaverTail and InvisibleFerret malware.
APT28's FrostArmada Hijacked 18,000 SOHO Routers to Steal Microsoft 365 Credentials β FBI Disrupts Operation
Russia-linked APT28 compromised 18,000 MikroTik and TP-Link routers across 120 countries to hijack DNS and steal Microsoft 365 OAuth tokens. FBI disrupts the operation.
BlueHammer: Unpatched Windows Defender Zero-Day Turns Definition Updates Into SYSTEM Shells
A disgruntled researcher leaked BlueHammer, a Windows Defender LPE zero-day that chains TOCTOU race conditions with Cloud Files oplocks to dump SAM hives and escalate to SYSTEM. No patch available.
Over 1,000 Exposed ComfyUI Instances Hijacked for Cryptomining and Proxy Botnet
Active campaign targets unauthenticated ComfyUI deployments across cloud providers, enlisting them into Monero mining and a Hysteria V2 proxy botnet via malicious custom nodes.
Docker AuthZ Bypass Returns: CVE-2026-34040 Lets Attackers Create Privileged Containers With a Single Padded Request
An incomplete fix for a 2024 Docker AuthZ bypass has resurfaced as CVE-2026-34040, allowing unauthenticated container creation with host filesystem access via oversized HTTP requests.
Three High-Severity Command Injection Flaws in AWS Research and Engineering Studio Give Authenticated Users Root RCE
AWS patches three CVSS 8.8 command injection and privilege escalation bugs in Research and Engineering Studio (RES) β any authenticated user could get root on virtual desktop hosts or the cluster manager.
Flowise AI Under Active Exploitation: CVSS 10.0 RCE via CustomMCP Node Hits 12,000+ Exposed Instances
Critical unauthenticated RCE in Flowise AI's CustomMCP node (CVE-2025-59528, CVSS 10.0) is under active exploitation. Over 12,000 instances are exposed. Patch to 3.0.6 immediately.
Storm-1175 Chains Zero-Days to Deploy Medusa Ransomware in Under 24 Hours
Microsoft exposes Storm-1175 as a primary Medusa ransomware affiliate, weaponizing zero-days in SmarterMail and GoAnywhere MFT with sub-24-hour dwell times.
Akira Ransomware Now Encrypts in Under an Hour: SonicWall VPNs Are the Front Door
Akira ransomware operators are completing full attack chains from initial VPN access to encryption in under 60 minutes, targeting SonicWall SSL VPNs even on patched devices.
CVE-2026-23442: Remote Kernel Panic via SRv6 NULL Pointer Dereference Threatens IPv6 Infrastructure
A CVSS 8.2 flaw in the Linux kernel's SRv6 implementation lets remote attackers crash systems with crafted IPv6 packets. Patches are outβupdate now.
CVE-2026-34612: Kestra SQL Injection Chains to Host RCE via PostgreSQL COPY TO PROGRAM
Critical CVSS 9.9 flaw in Kestra orchestration platform lets authenticated attackers chain SQL injection through PostgreSQL COPY TO PROGRAM for arbitrary command execution on the Docker host.
CVE-2026-32211: Azure MCP Server Ships with No Auth β Your DevOps Secrets Are One Request Away
Critical CVSS 9.1 flaw in Azure MCP Server has zero authentication on critical functions, exposing API keys, tokens, repos, and pipeline configs to unauthenticated attackers. No patch available.
Ubiquiti UniFi Network Application Hit With CVSS 10 Path Traversal β Unauthenticated Account Takeover Possible
CVE-2026-22557 is a maximum-severity path traversal in Ubiquiti UniFi Network Application that enables unauthenticated full account takeover. Chain it with CVE-2026-22558 for admin escalation. Patch to 10.1.89 immediately.
Device Code Phishing Attacks Surge 37x as EvilTokens PhaaS Fuels OAuth Abuse Against Microsoft 365
Device code phishing attacks exploiting the OAuth 2.0 Device Authorization Grant have surged 37x in 2026, driven by turnkey PhaaS kits like EvilTokens that bypass MFA and compromise enterprise M365 tenants.
CVE-2026-4681: CVSS 10.0 Deserialization RCE in PTC Windchill Has German Police Knocking on Doors
A maximum-severity deserialization flaw in PTC Windchill and FlexPLM (CVE-2026-4681, CVSS 10.0) prompted German federal police to physically visit companies and wake up sysadmins. No patch yet. Here's what you need to know.
36 Malicious npm Packages Disguised as Strapi Plugins Deploy Redis Exploits, PostgreSQL Credential Harvesting, and Persistent Implants
A coordinated campaign planted 36 fake Strapi CMS plugins on npm that exploit Redis and PostgreSQL instances, harvest credentials, and install persistent C2 implants targeting production infrastructure.
CVE-2026-33032: Nginx UI MCP Endpoint Lets Anyone Hijack Your Web Server β No Auth Required
Critical 9.8 CVSS flaw in Nginx UI exposes unauthenticated MCP endpoint. Public PoC available, no patch yet. Disable or firewall Nginx UI immediately.
$285M Gone in 12 Minutes: DPRK-Linked Attackers Weaponize Solana Durable Nonces to Gut Drift Protocol
North Korean threat actors drained $285M from Solana's largest perpetual futures exchange by weaponizing durable nonces, fabricating a fake token, and socially engineering governance multisig signers.
Ransomware Hits Minot Water Treatment Plant SCADA System, FBI Investigating
Ransomware compromised the SCADA server at Minot, North Dakota's water treatment plant, forcing 16 hours of manual operations. FBI released a statement today confirming active investigation.
FortiClient EMS Zero-Day Under Active Exploitation β Emergency Hotfixes Released (CVE-2026-35616)
Critical API authentication bypass in FortiClient EMS 7.4.5β7.4.6 is being exploited in the wild. CVSS 9.1. Hotfixes available now.
Ni8mare: CVSS 10.0 Unauthenticated RCE in n8n Workflow Automation (CVE-2026-21858)
A CVSS 10.0 content-type confusion bug in n8n's webhook handler lets unauthenticated attackers read arbitrary files, steal credentials, forge admin sessions, and achieve full RCE. Patch to 1.121.0 immediately.
Progress ShareFile Pre-Auth RCE Chain: CVE-2026-2699 and CVE-2026-2701 Give Attackers Full Server Takeover
Two critical Progress ShareFile flaws chain into a pre-authentication RCE β with ~30,000 Storage Zone Controllers exposed and a public POC now available.
European Commission Confirms Cloud Breach β Trivy Supply Chain Attack Cascades Into 30+ EU Entities
The European Commission confirms a data breach affecting 30+ EU entities after the compromised Trivy scanner leaked AWS API keys to TeamPCP. ShinyHunters published 92 GB of stolen data.
CVE-2026-33186: gRPC-Go Auth Bypass Lets Attackers Skip Deny Rules With a Missing Slash
A critical CVSS 9.1 flaw in gRPC-Go lets unauthenticated attackers bypass path-based authorization by omitting the leading slash from HTTP/2 :path headers.
Langflow's 'Patched' Version Is Still Exploitable β CVE-2026-33017 Deadline Hits April 8
JFrog confirms Langflow 1.8.2 remains vulnerable to CVE-2026-33017 unauthenticated RCE despite being widely reported as fixed. CISA KEV deadline is April 8.
Cisco Patches Two 9.8 CVSS Flaws in IMC and Smart Software Manager β No Workarounds Available
Critical authentication bypass in Cisco IMC (CVE-2026-20093) and unauthenticated root RCE in SSM On-Prem (CVE-2026-20160) both score CVSS 9.8. Patch immediately β no workarounds exist.
CVE-2026-33105: Azure Kubernetes Service RBAC Bypass Scores Perfect 10.0 CVSS
Critical AKS vulnerability allows privilege escalation to cluster admin via RBAC bypass. CVSS 10.0. Patch now.
React2Shell Under Mass Exploitation: 766+ Next.js Hosts Breached in Credential Harvesting Campaign
Threat actor UAT-10608 is mass-exploiting CVE-2025-55182 (React2Shell) to breach Next.js deployments and harvest cloud credentials, SSH keys, and API tokens at scale.
FBI Classifies Salt Typhoon Breach of Wiretap Infrastructure as 'Major Cyber Incident'
The FBI has formally classified the Salt Typhoon compromise of its DCSNet wiretap system as a FISMA major incident, the bureau's first such designation since 2020.
15-Year-Old strongSwan Integer Underflow Lets Unauthenticated Attackers Crash VPN Gateways
CVE-2026-25075 is an integer underflow in strongSwan's EAP-TTLS AVP parser that lets remote, unauthenticated attackers crash the charon IKE daemon β affecting every version since 4.5.0.
CVE-2026-32746: 32-Year-Old GNU Telnetd Bug Gives Unauthenticated Attackers Root via Port 23
A CVSS 9.8 pre-authentication buffer overflow in GNU inetutils telnetd lets remote attackers get root before the login prompt. Patch is incomplete across major distros and a public PoC exists.
CVE-2026-1579: Critical PX4 Autopilot Flaw Gives Attackers Full Drone Control via MAVLink
CISA advisory for CVE-2026-1579 reveals a CVSS 9.8 authentication bypass in PX4 Autopilot that lets unauthenticated attackers gain shell access to drones over MAVLink.
TeamPCP's Supply Chain Cascade: Trivy, KICS, LiteLLM, Telnyx Compromised β Now Pivoting to Ransomware via Vect
TeamPCP poisoned Trivy, KICS, LiteLLM, and Telnyx across GitHub Actions and PyPI in March 2026, harvested ~300 GB of CI/CD secrets, breached Cisco and AstraZeneca, and has now partnered with Vect RaaS to convert stolen credentials into ransomware deployments.
Oracle Identity Manager Pre-Auth RCE: CVE-2026-21992 Emergency Patch
Oracle issued an out-of-band emergency fix for CVE-2026-21992, a CVSS 9.8 unauthenticated RCE in Oracle Identity Manager's REST WebServices component affecting versions 12.2.1.4.0 and 14.1.2.1.0.
CVE-2026-0625: Unauthenticated RCE via DNS Config Endpoint Hits Millions of End-of-Life D-Link Routers
A critical command injection flaw in the dnscfg.cgi endpoint of legacy D-Link DSL, DIR, and DNS devices enables unauthenticated RCE β with no patches coming and active exploitation dating back to November 2025.
F5 BIG-IP APM Flaw Silently Upgraded from DoS to RCE β Now Actively Exploited
A five-month-old F5 BIG-IP APM bug just got reclassified from denial-of-service to pre-auth RCE. Attackers didn't wait for the memo.
TrueConf Zero-Day Weaponized by Chinese-Nexus APT to Backdoor Southeast Asian Governments
Operation TrueChaos exploited CVE-2026-3502 in TrueConf's update mechanism to push Havoc C2 payloads across government networks via a compromised on-premises server.
Chrome Zero-Day CVE-2026-5281: WebGPU Use-After-Free Under Active Exploitation
Google patches fourth Chrome zero-day of 2026 β a use-after-free in the Dawn WebGPU implementation that enables arbitrary code execution via crafted HTML pages.
CVE-2026-20127: Cisco SD-WAN Zero-Day Exploited for Three Years Before Disclosure
UAT-8616 abused a CVSS 10.0 auth bypass in Cisco Catalyst SD-WAN Controller and Manager since 2023, inserting rogue control-plane peers and escalating to root via a deliberate version-downgrade chain. Cisco disclosed in late February.
Axios npm Hijacked: Compromised Maintainer Account Drops Cross-Platform RAT in 100M-Download Package
DPRK-linked UNC1069 compromised the axios npm maintainer's account and published two backdoored versions that deployed the WAVESHAPER.V2 RAT to macOS, Windows, and Linux β present in ~80% of cloud environments.
CVE-2026-3055: NetScaler SAML IDP Memory Overread Is Under Active Recon β Patch Before April 2
Attackers are actively probing Citrix NetScaler ADC/Gateway for CVE-2026-3055, a CVSS 9.3 memory overread that can leak session tokens from SAML IDP-configured appliances. CISA deadline is April 2.
Cisco FMC Zero-Day Exploited by Interlock Ransomware for 36 Days Before Disclosure
CVE-2026-20131 scores a perfect CVSS 10.0. Interlock ransomware had 36 days of free rein before Cisco went public.
CanisterWorm and GlassWorm: Two Independent Supply Chain Attacks Using Blockchain as C2
Both attacks use blockchain infrastructure β ICP and Solana respectively β as command-and-control channels. Trivy itself was compromised.
CrackArmor: Nine AppArmor Flaws Enable Container Escape on Debian, Ubuntu, and SUSE
Every Kubernetes node running these distros is potentially exposed. Root escalation from within containers confirmed.
Three Chrome Zero-Days Patched in March Alone β What's Driving the Surge
Google patched three actively exploited Chrome zero-days this month. The browser attack surface is expanding faster than it's being hardened.