Tag: cisa-kev
All items tagged cisa-kev.
- CVE-2026-20253 — Splunk Enterprise pre-auth RCE flips to confirmed exploitation and CISA KEV
- CVE-2026-0257 — Palo Alto Networks PAN-OS GlobalProtect: authentication bypass under active exploitation
- CVE-2026-20262 — Cisco Catalyst SD-WAN Manager: authenticated arbitrary file write to root, exploited as a zero-day (CISA KEV)
- CVE-2026-48907 — Joomla Content Editor (JCE): unauthenticated profile-import to PHP RCE (CVSS 4.0 10.0, CISA KEV)
- CVE-2026-54420 — LiteSpeed cPanel/WHM plugin: symlink-following on shared hosting, exploited (CISA KEV)
- UPDATE: Splunk CVE-2026-20253 now under confirmed limited targeted exploitation
- CVE-2026-48907 — Widget Factory Joomla Content Editor (JCE) before version 2.9.99.5: unauthenticated profile-import → PHP RCE (CVSS v4 10.0)
- UPDATE: PAN-OS GlobalProtect CVE-2026-0257 — exploitation wave with Impacket post-compromise, NCSC-CH refreshes advisory
- CVE-2026-20262 — Cisco Catalyst SD-WAN Manager: authenticated arbitrary file write to root RCE (CISA KEV)
- CVE-2026-54420 — LiteSpeed cPanel/WHM plugin: symlink-following on shared hosting, exploited in the wild (CISA KEV)
- CVE-2026-10520 / CVE-2026-10523 — Ivanti Sentry: pre-auth command injection to root, now confirmed exploited and gateways backdoored
- UPDATE: Ivanti Sentry CVE-2026-10520 — exploitation confirmed in the wild, gateways backdoored
- UPDATE: Oracle PeopleSoft CVE-2026-35273 attributed to ShinyHunters; confirmed zero-day, 100+ victims, education sector hit hardest
- CVE-2026-11645 — Google Chrome V8 out-of-bounds read/write exploited in the wild, added to CISA KEV
- CVE-2026-7473 — Arista EOS tunnel-decapsulation logic flaw bypasses segmentation, added to CISA KEV
- UPDATE: PAN-OS GlobalProtect auth-bypass (CVE-2026-0257) — Unit 42 confirms attackers established working gateway sessions
- CVE-2026-50751 — Check Point Security Gateway: IKEv1 VPN authentication bypass, actively exploited by a Qilin affiliate
- CVE-2026-42271 — BerriAI LiteLLM: low-privilege command injection to host RCE, added to CISA KEV
- CVE-2026-28318 — SolarWinds Serv-U: unauthenticated DoS added to CISA KEV
- CVE-2026-45247 — Mirasvit Full Page Cache Warmer (Magento 2 / Adobe Commerce): unauthenticated PHP object-injection RCE, now in CISA KEV
- CVE-2024-21182 — Oracle WebLogic Server: unauthenticated T3/IIOP data access, KEV-listed on active exploitation
- CVE-2025-48595 — Android Framework: actively-exploited integer-overflow privilege escalation
- CVE-2026-0257 — Palo Alto PAN-OS GlobalProtect: Pre-Auth Authentication Bypass via Certificate Reuse
- FortiClient EMS CVE-2026-35616 actively exploited to push EKZ Infostealer through trusted endpoint-management channel
- CVE-2026-0257 — Palo Alto PAN-OS GlobalProtect pre-auth authentication bypass, exploited in two waves by the same actor
- CVE-2026-35616 — Fortinet FortiClient EMS pre-auth bypass, exploited to push EKZ Infostealer down the management channel
- UPDATE: Drupal CVE-2026-9082 — CISA KEV addition + active exploitation confirmed; NCSC.ch flips post 12584 to "Actively exploited"
- CVE-2026-34926 — Trend Micro Apex One On-Premise: post-auth directory traversal by admin-credential holder injects code deployed fleet-wide to all managed agents (CISA KEV, ITW)
- CVE-2025-34291 — Langflow AI Workflow Platform: CORS misconfiguration + SameSite=None refresh token enables cross-origin token theft (CISA KEV, ITW, Flodric botnet)
- UPDATE: CVE-2026-42897 Exchange OWA — EM Service auto-mitigation depends on outbound connectivity to `officemitigations.microsoft.com`
- UPDATE: CVE-2026-0300 PAN-OS Captive Portal — revised fix-release timelines for 10.2.13-h21 and 10.2.16-h7; wave-2 target remains 2026-05-28
- Drupal core CVE-2026-9082 — pre-auth SQL injection, CISA KEV, active exploitation confirmed; NCSC.ch flipped to "actively exploited"
- Two CISA KEV additions under active exploitation — Trend Micro Apex One and Langflow
- Drupal CVE-2026-9082 — disclosure-only Monday to KEV-confirmed-exploited by Friday
- Microsoft Exchange CVE-2026-42897 — actively-exploited OWA stored-XSS, no permanent patch, Pwn2Own three-bug chain compounds the picture
- Cisco Catalyst SD-WAN CVE-2026-20182 — UAT-8616 active, CISA Emergency Directive ED-26-03, 10+ companion-CVE clusters
- Microsoft Exchange CVE-2026-42897 OWA-XSS — same-week compounding with the DEVCORE Pwn2Own chain
- UPDATE: Exchange CVE-2026-42897 — Pwn2Own DEVCORE three-bug SYSTEM RCE chain emerges alongside active OWA-XSS exploitation
- CVE-2026-42897 — Microsoft Exchange Server 2016 / 2019 / SE: stored XSS in OWA, actively exploited, no permanent patch
- UAT-8616 exploits Cisco Catalyst SD-WAN CVE-2026-20182; 10+ clusters exploit companion February 2026 CVEs; CISA Emergency Directive ED-26-03 issued
- CVE-2026-20182 — Cisco Catalyst SD-WAN Controller/Manager: pre-auth authentication bypass enabling full fabric takeover
- UPDATE: CVE-2026-0300 PAN-OS Captive Portal — patch wave 2 delayed to 2026-05-28 for eight high-traffic build streams; mitigation remains the only option on those builds [SINGLE-SOURCE]
- UPDATE: Palo Alto PAN-OS CVE-2026-0300 — first-wave fixed builds now scheduled for 2026-05-13; until then interim mitigation remains the only option
- CVE-2026-0300 — Palo Alto PAN-OS Captive Portal unauthenticated root RCE; CL-STA-1132 active since 2026-04-09; no patch until 2026-05-13
- CVE-2026-6973 + CVE-2026-5787 — Ivanti EPMM on-prem pre-auth chain to admin RCE; 508 EU instances internet-exposed; named EU victims include the European Commission
- CVE-2026-31431 "Copy Fail" + CVE-2026-43284 / CVE-2026-43500 "Dirty Frag" — Linux kernel LPE pair confirmed in complementary post-compromise campaigns
- CVE-2026-42208 LiteLLM Proxy — pre-auth SQL injection exposing upstream LLM-provider API keys at the multi-tenant SaaS layer
- CL-STA-1132 — PAN-OS CVE-2026-0300 exploitation cluster: disclosure-to-deadline-to-deadline-expiry inside the window
- cPanel / WHM — two emergency TSRs inside ten days: post-CVE-2026-41940 fleet now facing CVE-2026-29201/29202/29203
- CVE-2026-32202 — Windows Shell NTLM coercion; Akamai's PatchDiff-AI shows the residual zero-click path left by the CVE-2026-21510 patch
- UPDATE: Ivanti EPMM CVE-2026-6973 — KEV deadline expired today; ~850 internet-exposed instances globally with 508 in Europe; companion CVE-2026-5786/5788 ship in same patch
- Patch Ivanti EPMM today — KEV deadline expired
- LiteLLM Proxy KEV deadline tomorrow (2026-05-11) — patch and rotate every upstream key
- CVE-2026-42208 — LiteLLM Proxy pre-authentication SQL injection: CISA KEV deadline 2026-05-11; all upstream LLM API keys at risk
- UPDATE: Ivanti EPMM CVE-2026-5787 / CVE-2026-6973 — KEV deadline TOMORROW (2026-05-10); EU victim organisations named; 508 internet-exposed EU instances
- UPDATE: CVE-2026-0300 — Palo Alto PAN-OS Captive Portal KEV deadline TODAY (2026-05-09); no patch exists; first patches expected 2026-05-13; CL-STA-1132 post-exploitation detail
- UPDATE: CVE-2026-31431 "Copy Fail" — CISA KEV deadline 2026-05-15 approaching; Microsoft documents Linux LPE cluster post-compromise chain
- CVE-2026-5787 / CVE-2026-6973 — Ivanti EPMM pre-auth certificate impersonation → admin RCE (CISA KEV deadline **2026-05-10**)
- CVE-2026-32202 — Windows Shell NTLM coercion / credential capture, APT28 active against EU governments (CISA KEV deadline **2026-05-12**)
- CVE-2026-5787 — Ivanti EPMM improper certificate validation (pre-auth Sentry impersonation, CVSS 9.1)
- CVE-2026-6973 — Ivanti EPMM admin API improper input validation → RCE (CVSS 7.2, CISA KEV deadline 2026-05-10)
- CVE-2026-32202 — Windows Shell NTLM coercion, APT28 ITW (CVSS 4.3, CISA KEV deadline 2026-05-12)
- UPDATE — CVE-2026-0300 (PAN-OS Captive Portal unauthenticated root RCE): CISA KEV deadline is **today (2026-05-09)**; no patch until 2026-05-13