Tag: actively-exploited
All items tagged actively-exploited.
- FortiBleed — Russian-speaking operator cracking 86,644 FortiGate credentials into Active Directory
- CVE-2026-20253 — Splunk Enterprise pre-auth RCE flips to confirmed exploitation and CISA KEV
- CVE-2026-12569 — PTC Windchill / FlexPLM pre-auth deserialization RCE, exploited, BSI calling admins at 02:30
- CVE-2026-0257 — Palo Alto Networks PAN-OS GlobalProtect: authentication bypass under active exploitation
- CVE-2026-20262 — Cisco Catalyst SD-WAN Manager: authenticated arbitrary file write to root, exploited as a zero-day (CISA KEV)
- CVE-2026-48907 — Joomla Content Editor (JCE): unauthenticated profile-import to PHP RCE (CVSS 4.0 10.0, CISA KEV)
- CVE-2026-54420 — LiteSpeed cPanel/WHM plugin: symlink-following on shared hosting, exploited (CISA KEV)
- CVE-2026-25089 / CVE-2026-39808 / CVE-2026-39813 — FortiSandbox: three critical flaws exploited in one 24-hour window
- CVE-2026-4020 — Gravity SMTP WordPress plugin: unauthenticated credential dump, mass-exploited
- CVE-2026-4020 — Gravity SMTP WordPress plugin: unauthenticated config-dump of email-connector credentials, mass-exploited
- UPDATE: FortiBleed reaches 86,644 compromised FortiGate devices; CISA issues emergency hardening guidance
- UPDATE: Splunk CVE-2026-20253 now under confirmed limited targeted exploitation
- FortiBleed — 73,932 internet-facing FortiGate devices exposed, Russian-speaking group cracking credentials into Active Directory
- CVE-2026-48907 — Widget Factory Joomla Content Editor (JCE) before version 2.9.99.5: unauthenticated profile-import → PHP RCE (CVSS v4 10.0)
- UPDATE: FortiSandbox — three critical flaws now exploited simultaneously, including the previously disclosure-only CVE-2026-25089
- UPDATE: PAN-OS GlobalProtect CVE-2026-0257 — exploitation wave with Impacket post-compromise, NCSC-CH refreshes advisory
- CVE-2026-20262 — Cisco Catalyst SD-WAN Manager: authenticated arbitrary file write to root RCE (CISA KEV)
- CVE-2026-54420 — LiteSpeed cPanel/WHM plugin: symlink-following on shared hosting, exploited in the wild (CISA KEV)
- CVE-2026-10520 / CVE-2026-10523 — Ivanti Sentry: pre-auth command injection to root, now confirmed exploited and gateways backdoored
- CVE-2026-41089 — Windows Netlogon: pre-auth SYSTEM RCE on domain controllers, confirmed exploited in the EU
- CVE-2026-35273 — Oracle PeopleSoft: confirmed zero-day exploited by ShinyHunters (UNC6240), education sector hit hardest
- CVE-2026-50751 — Check Point Security Gateway: IKEv1 VPN authentication bypass exploited by a Qilin affiliate `[SINGLE-SOURCE]`
- CVE-2025-8088 — WinRAR path traversal: still fuelling Ukraine intrusions a year after the fix `[SINGLE-SOURCE]`
- UPDATE: Ivanti Sentry CVE-2026-10520 — exploitation confirmed in the wild, gateways backdoored
- UPDATE: Oracle PeopleSoft CVE-2026-35273 attributed to ShinyHunters; confirmed zero-day, 100+ victims, education sector hit hardest
- UPDATE: ShinyHunters PeopleSoft campaign — Oracle confirms CVE-2026-35273 and ships an out-of-band patch; Nottingham quantifies 455,000 records
- ServiceNow unauthenticated REST endpoint queried customer instance tables before a silent 5 June patch
- CVE-2026-5027 — Langflow: unauthenticated path traversal to arbitrary file write, exploited in the wild
- UPDATE: Windows Netlogon RCE CVE-2026-41089 now confirmed exploited in the wild in the EU; CERT-EU issues advisory 2026-007
- CVE-2026-11645 — Google Chrome V8 out-of-bounds read/write exploited in the wild, added to CISA KEV
- CVE-2026-7473 — Arista EOS tunnel-decapsulation logic flaw bypasses segmentation, added to CISA KEV
- Year-old WinRAR flaw (CVE-2025-8088) still fuels Ukraine intrusions — GIFTEDCROOK via UAC-0226 and an Earth Dahu chain
- UPDATE: PAN-OS GlobalProtect auth-bypass (CVE-2026-0257) — Unit 42 confirms attackers established working gateway sessions
- CVE-2026-50751 — Check Point Security Gateway: IKEv1 VPN authentication bypass, actively exploited by a Qilin affiliate
- CVE-2026-42271 — BerriAI LiteLLM: low-privilege command injection to host RCE, added to CISA KEV
- CVE-2026-3300 — Everest Forms Pro (WordPress): unauthenticated `eval()` injection, actively exploited at scale
- CVE-2026-20245 — Cisco Catalyst SD-WAN Manager: no-patch zero-day chain confirmed to push malicious configs to edge devices
- CVE-2026-41089 — Windows Netlogon: pre-auth SYSTEM RCE on domain controllers, actively exploited
- IronWorm + Miasma AI coding-agent injection: two supply-chain worms target cloud credentials and developer toolchains simultaneously
- Public sector — most-targeted sector this week by volume and by operational severity
- CVE-2026-20245 — Cisco Catalyst SD-WAN Manager: actively-exploited command-injection to root (no patch)
- CVE-2026-28318 — SolarWinds Serv-U: unauthenticated DoS added to CISA KEV
- CVE-2026-45247 — Mirasvit Full Page Cache Warmer (Magento 2 / Adobe Commerce): unauthenticated PHP object-injection RCE, now in CISA KEV
- CVE-2026-8206 + CVE-2026-8181 — Kirki and Burst Statistics WordPress plugins: unauthenticated account takeover under active mass-exploitation
- CVE-2024-21182 — Oracle WebLogic Server: unauthenticated T3/IIOP data access, KEV-listed on active exploitation
- CVE-2025-48595 — Android Framework: actively-exploited integer-overflow privilege escalation
- UPDATE: Gamaredon weaponises WinRAR CVE-2025-8088 and adds the GammaSteel stealer
- CVE-2026-8732 — WP Maps Pro WordPress plugin: unauthenticated admin-account creation, actively exploited
- UPDATE: Windows Netlogon CVE-2026-41089 moves from "patch-available" to actively exploited
- CVE-2026-0257 — Palo Alto PAN-OS GlobalProtect: Pre-Auth Authentication Bypass via Certificate Reuse
- FortiClient EMS CVE-2026-35616 actively exploited to push EKZ Infostealer through trusted endpoint-management channel
- UPDATE: The Gentlemen ransomware — Microsoft publishes full technical dissection of the Storm-2697 Go-encryptor
- CVE-2026-5426 — Digital Knowledge KnowledgeDeliver LMS: pre-shared ASP.NET `machineKey` enables ViewState deserialization RCE, exploited as a zero-day
- Large-scale ClickFix campaign mass-compromises self-hosted Ghost CMS sites via CVE-2026-26980
- CVE-2026-26980 — Ghost CMS Content API: unauthenticated blind SQL injection in the `slug` filter, actively exploited
- CVE-2026-0257 — Palo Alto PAN-OS GlobalProtect pre-auth authentication bypass, exploited in two waves by the same actor
- CVE-2026-35616 — Fortinet FortiClient EMS pre-auth bypass, exploited to push EKZ Infostealer down the management channel
- CVE-2026-26980 — Ghost CMS unauthenticated blind SQL injection, mass-exploited into a ClickFix infostealer chain
- CVE-2026-5426 — Digital Knowledge KnowledgeDeliver LMS: ViewState deserialization RCE exploited as a zero-day
- CVE-2026-48172 — LiteSpeed User-End cPanel plugin: authenticated cPanel user to root via `lsws.redisAble`, actively exploited
- UPDATE: Drupal CVE-2026-9082 — CISA KEV addition + active exploitation confirmed; NCSC.ch flips post 12584 to "Actively exploited"
- CVE-2026-34926 — Trend Micro Apex One On-Premise: post-auth directory traversal by admin-credential holder injects code deployed fleet-wide to all managed agents (CISA KEV, ITW)
- CVE-2025-34291 — Langflow AI Workflow Platform: CORS misconfiguration + SameSite=None refresh token enables cross-origin token theft (CISA KEV, ITW, Flodric botnet)
- UPDATE: Microsoft Defender CVE-2026-41091 + CVE-2026-45498 — both CVEs confirmed exploited, out-of-band engine update 4.18.26040.7 confirmed as fix
- SonicWall Gen6 SSL-VPN incomplete-patching (CVE-2024-12802) — Akira-linked actors brute-force MFA via UPN/SAM account-name split, February–March 2026 intrusions
- CVE-2026-41091 — Microsoft Defender Engine link-following EoP, actively exploited
- UPDATE: CVE-2026-42897 Exchange OWA — EM Service auto-mitigation depends on outbound connectivity to `officemitigations.microsoft.com`
- UPDATE: CVE-2026-42945 NGINX Rift — in-the-wild exploitation confirmed by VulnCheck honeypots
- UPDATE: CVE-2026-0300 PAN-OS Captive Portal — revised fix-release timelines for 10.2.13-h21 and 10.2.16-h7; wave-2 target remains 2026-05-28
- TeamPCP / Mini Shai-Hulud supply-chain worm — CI/CD credential theft running all week; GitHub itself among claimed victims
- Microsoft Defender Engine CVE-2026-41091 + CVE-2026-45498 — both confirmed exploited in the wild; out-of-band engine update is the fix
- Drupal core CVE-2026-9082 — pre-auth SQL injection, CISA KEV, active exploitation confirmed; NCSC.ch flipped to "actively exploited"
- SonicWall Gen6 SSL-VPN CVE-2024-12802 — Akira-linked actors bypassing MFA on *officially-patched* firmware
- Two CISA KEV additions under active exploitation — Trend Micro Apex One and Langflow
- TeamPCP / Mini Shai-Hulud / Megalodon — the open-sourced supply-chain worm became commodity infrastructure this week
- Drupal CVE-2026-9082 — disclosure-only Monday to KEV-confirmed-exploited by Friday
- CVE-2026-48172 — LiteSpeed User-End cPanel plugin: authenticated cPanel user to root, actively exploited
- Technology / developer toolchain — CI/CD supply chain remains the week's highest-volume attack surface
- Microsoft Exchange CVE-2026-42897 — actively-exploited OWA stored-XSS, no permanent patch, Pwn2Own three-bug chain compounds the picture
- Cisco Catalyst SD-WAN CVE-2026-20182 — UAT-8616 active, CISA Emergency Directive ED-26-03, 10+ companion-CVE clusters
- PAN-OS CVE-2026-0300 — wave 2 confirmed delayed to 2026-05-28; eight build streams remain on mitigation-only for a further 11 days
- Dirty Frag (CVE-2026-43284 xfrm-ESP + CVE-2026-43500 RxRPC) — Microsoft confirmed ITW, RxRPC distro patches still propagating
- TeamPCP / Mini Shai-Hulud npm supply-chain worm — wave 4 + framework source leak
- Microsoft Exchange CVE-2026-42897 OWA-XSS — same-week compounding with the DEVCORE Pwn2Own chain
- PAN-OS CVE-2026-0300 — staged-patch arc spanning W19 and W20
- WordPress retail / e-commerce
- CISA Emergency Directive ED-26-03 — Cisco Catalyst SD-WAN
- FunnelKit "Funnel Builder for WooCommerce" actively exploited as Magecart skimmer on 40,000+ WordPress stores — no CVE assigned
- UPDATE: Exchange CVE-2026-42897 — Pwn2Own DEVCORE three-bug SYSTEM RCE chain emerges alongside active OWA-XSS exploitation
- CVE-2026-42897 — Microsoft Exchange Server 2016 / 2019 / SE: stored XSS in OWA, actively exploited, no permanent patch
- UAT-8616 exploits Cisco Catalyst SD-WAN CVE-2026-20182; 10+ clusters exploit companion February 2026 CVEs; CISA Emergency Directive ED-26-03 issued
- CVE-2026-20182 — Cisco Catalyst SD-WAN Controller/Manager: pre-auth authentication bypass enabling full fabric takeover
- UPDATE: CVE-2026-0300 PAN-OS Captive Portal — patch wave 2 delayed to 2026-05-28 for eight high-traffic build streams; mitigation remains the only option on those builds [SINGLE-SOURCE]
- UPDATE: PAN-OS CVE-2026-0300 — first-wave patched builds released on 2026-05-13
- UPDATE: Palo Alto PAN-OS CVE-2026-0300 — first-wave fixed builds now scheduled for 2026-05-13; until then interim mitigation remains the only option
- Pre-stage PAN-OS Captive Portal upgrade for the 2026-05-13 first-wave release; keep interim mitigation enforced until then
- CVE-2026-0300 — Palo Alto PAN-OS Captive Portal unauthenticated root RCE; CL-STA-1132 active since 2026-04-09; no patch until 2026-05-13
- CVE-2026-6973 + CVE-2026-5787 — Ivanti EPMM on-prem pre-auth chain to admin RCE; 508 EU instances internet-exposed; named EU victims include the European Commission
- CVE-2026-31431 "Copy Fail" + CVE-2026-43284 / CVE-2026-43500 "Dirty Frag" — Linux kernel LPE pair confirmed in complementary post-compromise campaigns
- CVE-2026-42208 LiteLLM Proxy — pre-auth SQL injection exposing upstream LLM-provider API keys at the multi-tenant SaaS layer
- CL-STA-1132 — PAN-OS CVE-2026-0300 exploitation cluster: disclosure-to-deadline-to-deadline-expiry inside the window
- cPanel / WHM — two emergency TSRs inside ten days: post-CVE-2026-41940 fleet now facing CVE-2026-29201/29202/29203
- CVE-2026-32202 — Windows Shell NTLM coercion; Akamai's PatchDiff-AI shows the residual zero-click path left by the CVE-2026-21510 patch
- Critical infrastructure water (PL)
- CL-STA-1132 (PAN-OS CVE-2026-0300 exploitation cluster, likely state-sponsored)
- TeamPCP → PCPJack — cloud-worm successor evicting prior operator artefacts
- The Gentlemen RaaS — Europe-skewed operation surged approximately 448% QoQ; 32% of Q1 2026 victims in Europe; FortiGate CVE-2024-55591 initial-access funnel
- UPDATE: Dirty Frag — Microsoft confirms limited in-the-wild exploitation; Red Hat, NCSC.ch, CCB Belgium publish coordinated advisories
- Apply Dirty Frag kernel backports — Microsoft now confirms in-the-wild
- PCPJack — modular cloud-credential-theft worm displaces TeamPCP using five public CVEs and a multi-cloud key-harvesting pipeline
- UPDATE: Ivanti EPMM CVE-2026-6973 — KEV deadline expired today; ~850 internet-exposed instances globally with 508 in Europe; companion CVE-2026-5786/5788 ship in same patch
- Patch Ivanti EPMM today — KEV deadline expired
- LiteLLM Proxy KEV deadline tomorrow (2026-05-11) — patch and rotate every upstream key
- CVE-2026-43284 / CVE-2026-43500 — Linux "Dirty Frag": deterministic LPE chain via page-cache write primitives in xfrm-ESP and RxRPC, active exploitation confirmed
- CVE-2026-42208 — LiteLLM Proxy pre-authentication SQL injection: CISA KEV deadline 2026-05-11; all upstream LLM API keys at risk
- UPDATE: Ivanti EPMM CVE-2026-5787 / CVE-2026-6973 — KEV deadline TOMORROW (2026-05-10); EU victim organisations named; 508 internet-exposed EU instances
- UPDATE: CVE-2026-0300 — Palo Alto PAN-OS Captive Portal KEV deadline TODAY (2026-05-09); no patch exists; first patches expected 2026-05-13; CL-STA-1132 post-exploitation detail
- UPDATE: Polish water OT intrusions — ABW annual report names five facilities; APT28 / APT29 / UNC1151 formally attributed; NIS2 enforcement context
- UPDATE: CVE-2026-31431 "Copy Fail" — CISA KEV deadline 2026-05-15 approaching; Microsoft documents Linux LPE cluster post-compromise chain
- CVE-2026-5787 / CVE-2026-6973 — Ivanti EPMM pre-auth certificate impersonation → admin RCE (CISA KEV deadline **2026-05-10**)
- CVE-2026-32202 — Windows Shell NTLM coercion / credential capture, APT28 active against EU governments (CISA KEV deadline **2026-05-12**)
- Pro-Russian hacktivists modify OT pump settings at five Polish water treatment facilities
- CVE-2026-5787 — Ivanti EPMM improper certificate validation (pre-auth Sentry impersonation, CVSS 9.1)
- CVE-2026-6973 — Ivanti EPMM admin API improper input validation → RCE (CVSS 7.2, CISA KEV deadline 2026-05-10)
- CVE-2026-32202 — Windows Shell NTLM coercion, APT28 ITW (CVSS 4.3, CISA KEV deadline 2026-05-12)
- UPDATE — CVE-2026-0300 (PAN-OS Captive Portal unauthenticated root RCE): CISA KEV deadline is **today (2026-05-09)**; no patch until 2026-05-13