Cisa-Kev
Ubiquiti UniFi OS Server Triple-CVE Chain Enables Unauthenticated Root RCE
Three max-severity CVEs (2026-34908/09/10) in UniFi OS Server chain from an Nginx auth bypass to root command injection — CISA added all three to KEV on June 23 amid Mirai/Gaafgyt botnet exploitation.
CVE-2026-12569: PTC Windchill/FlexPLM Deserialization RCE Exploited in Wild, CISA Deadline Today
A critical unauthenticated deserialization RCE in PTC Windchill and FlexPLM (CVE-2026-12569, CVSS 9.3) is being actively exploited with JSP web shells; CISA federal patch deadline is today.
Arista EOS CVE-2026-7473: Tunnel Decap Flaw Bypasses Segmentation — and Arista Won't Patch It
CVE-2026-7473 lets an unauthenticated attacker push arbitrary tunneled traffic through Arista data-center switches that decapsulate it without checking the protocol. Exploited in the wild, on CISA's KEV list with a deadline of today — and Arista has confirmed no patch is coming.
LiteSpeed cPanel Plugin CVE-2026-54420: A Symlink Trick That Escapes CageFS for Root
An actively-exploited symlink flaw in LiteSpeed's user-end cPanel plugin lets any tenant with FTP or web-shell access break out of CageFS and become root. CISA's federal patch deadline is today.
Ivanti Sentry CVE-2026-10520: Unauthenticated Root RCE via handleMessage, Now in CISA KEV
A CVSS 10.0 OS command injection in Ivanti Sentry's unauthenticated /mics/api/v2/sentry/mics-config/handleMessage endpoint yields remote code execution as root. watchTowr published a PoC on June 10, CISA added it to KEV on June 11 with a June 14 deadline, and exploitation has followed.
Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild — Patch Every Chromium Runtime, Not Just Browsers
Google patched CVE-2026-11645, an actively exploited out-of-bounds read/write in V8. The real blast radius is every Chromium runtime you operate — headless Chrome in CI, Electron apps, and server-side renderers.
Anatomy of the Interlock Campaign: How a ClickFix Gang Learned to Burn Firewall Zero-Days
For a year, the surest way to get hit by Interlock was to paste a command into your own Run dialog. On January 26, 2026, the group stopped waiting for users to make mistakes and started exploiting a pre-auth, root-level Cisco firewall zero-day instead. The same crew now runs both ends of the sophistication ladder — and that should change how you model initial access.
SolarWinds Serv-U DoS Flaw CVE-2026-28318 Hits CISA KEV as Attackers Crash File Transfer Servers
CISA added SolarWinds Serv-U CVE-2026-28318 to its KEV catalog after attackers began crashing file transfer servers with a single unauthenticated deflate-encoded POST. Patch to 15.5.4 HF1.
Mirasvit Cache Warmer CVE-2026-45247: One Cookie Pops Any Magento Store, No Auth Required
CISA added CVE-2026-45247 to KEV after Imperva confirmed active exploitation. A single crafted CacheWarmer cookie gives unauthenticated RCE on Magento and Adobe Commerce stores running Mirasvit Full Page Cache Warmer below 1.11.12.
Android Framework Zero-Day CVE-2025-48595: Silent Privilege Escalation Under Active Attack
CVE-2025-48595 is a high-severity integer overflow in the Android Framework that escalates privilege with no user interaction and no special permissions. Google confirms limited, targeted exploitation; CISA added it to KEV on June 2 with a June 5 federal deadline. Affects Android 14, 15, 16, and 16 QPR2.
Oracle WebLogic CVE-2024-21182 Hits CISA KEV: Two-Year-Old T3 Bug Now Under Active Exploitation
CISA added the unauthenticated Oracle WebLogic T3/IIOP flaw CVE-2024-21182 to its Known Exploited Vulnerabilities catalog on June 1. The patch has shipped for two years — this is a story about exposed, unpatched middleware.
SSRF to the Model, Model to the Cloud: The Inference Layer Is 2026's Softest Attack Surface
Model gateways and inference servers are repeating two decades of solved web-security mistakes — default-open binds, pickle RCE, pre-auth SQLi, and SSRF straight into cloud credentials. A field guide to the AI control plane's softest links and how to harden them before the next 36-hour exploitation window.
CVE-2026-0257: Palo Alto GlobalProtect Auth Bypass Now Exploited — Unauthorized VPN Access Into Your Network
Palo Alto confirmed active exploitation of CVE-2026-0257, a CVSS 7.8 GlobalProtect authentication bypass that lets attackers establish unauthorized VPN sessions into the internal network. Rapid7 traced exploitation back to May 17. CISA KEV deadline is June 1.
The Edge Device Audit: Turn CISA's BOD 26-02 Into a Playbook You Can Actually Run
CISA's BOD 26-02 just handed every infrastructure team a free edge-device audit checklist. Here is how to run it on your own network — inventory, version, exposure, and end-of-support triage — before an attacker runs theirs.
Trend Micro Apex One CVE-2026-34926: Directory Traversal Turns the EDR Server Into a Malware Dropper
A directory traversal flaw in on-premise Trend Micro Apex One lets an attacker who already holds server admin access poison the agent build and push malicious code to every managed endpoint. CISA added it to KEV after confirmed in-the-wild exploitation.
Two More Defender Zero-Days in the Wild: CVE-2026-41091 Link-Resolution Bug Lands SYSTEM, Added to CISA KEV
Microsoft confirms two Defender flaws — an LPE to SYSTEM and a DoS — are publicly disclosed and exploited in the wild. A third RCE ships in the same engine update. CISA gives federal agencies until June 3.
Cisco Catalyst SD-WAN CVE-2026-20182: Second vdaemon Auth Bypass Lands in CISA KEV
Cisco patched a CVSS 10.0 auth bypass in Catalyst SD-WAN Controller's vdaemon service. UAT-8616 is already exploiting it. CISA added it to KEV May 15 with a May 17 deadline.
Ivanti EPMM CVE-2026-6973 Hits CISA KEV as Federal Patch Deadline Passes
Ivanti confirms in-the-wild exploitation of CVE-2026-6973, an authenticated-admin RCE in Endpoint Manager Mobile. CISA gave federal agencies until May 10 to patch — that window has now closed.
Palo Alto PAN-OS CVE-2026-0300: Unauthenticated Root RCE on Captive Portal Under Active Exploitation
Palo Alto Networks PAN-OS User-ID Authentication Portal has an unauthenticated buffer overflow yielding root RCE on PA-Series and VM-Series firewalls. CVSS 9.3, in CISA KEV, federal patch deadline May 9, 2026.
Palo Alto PAN-OS CVE-2026-0300: Unauth Root RCE in Captive Portal Exploited as Zero-Day, CISA KEV Deadline May 9
Palo Alto PAN-OS captive portal buffer overflow (CVSS 9.3) under active exploitation gives unauthenticated attackers root on PA- and VM-Series firewalls. Patches don't ship until May 13 — mitigations only.