📡 ~/news - Cyber News & Threats
110 postsBreaking cybersecurity news, vulnerability disclosures, and threat analysis. Stay informed about the latest in the security landscape.
Palo Alto Networks PAN-OS Zero-Day (CVE-2026-0300) Exploited in the Wild - Critical RCE Threat
A critical buffer-overflow (CVE-2026-0300) in PAN-OS User-ID Authentication (Captive) Portal enables unauthenticated remote code execution with root privileges. State-sponsored actors have been exploiting internet-exposed PA-Series and VM-Series firewalls for almost a month, and patches are slated for May 13.
Critical MOVEit Automation Auth Bypass (CVE-2026-4670) Threatens Thousands of Deployments
Progress Software disclosed a critical authentication-bypass flaw (CVE-2026-4670) in MOVEit Automation, affecting versions prior to 2025.1.5, 2025.0.9 and 2024.1.8. Over 1,400 internet-exposed instances-incl. U.S. state and local agencies-remain unpatched, prompting urgent upgrades and mitigations.
CISA Flags Critical Linux LPE ‘Copy Fail’ (CVE-2026-31431) as Actively Exploited
The U.S. CISA added CVE-2026-31431, known as “Copy Fail”, to its KEV catalog after confirming active exploitation. The flaw gives any local user a trivial path to root on Linux kernels from 2017 onward, affecting servers, desktops, and containers.
GitHub RCE Flaw CVE-2026-3854: Millions of Private Repos Exposed
A critical remote-code-execution bug (CVE-2026-3854) in GitHub's git-push handling let attackers with push rights execute arbitrary code and read/write any private repository. GitHub patched it within hours, but 88 % of Enterprise Server instances remained vulnerable at disclosure.
cPanel & WHM Authentication Bypass Zero-Day (CVE-2026-41940) Exploited in the Wild
A critical authentication bypass (CVE-2026-41940) in cPanel and WHM allows unauthenticated attackers to gain admin control via a CRLF injection. The flaw has been actively exploited since February 2026, affecting roughly 1.5 million internet-exposed instances. Patches landed on April 30 2026 and CISA added the bug to its KEV catalog.
Zero-Click Windows Shell Flaw (CVE-2026-32202) Enables Fancy Bear NTLM Hash Theft
An incomplete February patch for CVE-2026-21510 left a new zero-click authentication-coercion bug (CVE-2026-32202) that forces Windows Shell to leak NTLMv2 hashes. Russian APT28 (Fancy Bear) is actively exploiting it, prompting emergency patches from Microsoft and a CISA mandate.
Colorado Fertility Clinic Faces Class-Action Over Patient Data Breach
A Colorado fertility clinic’s electronic health record system was compromised, exposing sensitive reproductive health data. A class-action lawsuit alleges violations of HIPAA and state privacy statutes, spotlighting systemic security gaps in health-care providers.
Extradition of Xu Zewei Highlights Ongoing Threat of Silk Typhoon Attacks
Chinese national Xu Zewei was extradited from Italy to the United States and charged with leading the Silk Typhoon (formerly HAFNIUM) campaign that exploited Microsoft Exchange zero-days to steal COVID-19 research from over 12,700 U.S. organizations. The case underscores the persistent danger of state-sponsored cyber espionage and the urgent need for stronger zero-day handling.
Mythos AI Shatters Zero-Day Records: 2,000+ Bugs Found in 7 Weeks
Anthropic’s defensive AI model Mythos discovered over 2,000 previously unknown software vulnerabilities in just seven weeks, representing roughly 30% of the world’s annual zero-day output. The finding highlights AI’s dual-edged role in accelerating both attack capabilities and defensive patching.
AI Agent Zealot Autonomously Breaches GCP and Exfiltrates BigQuery Data
Palo Alto Networks Unit 42 unveiled Zealot, an AI-driven hacking agent that, without any scripted steps, discovered a vulnerable web app, stole credentials, escalated privileges, and exfiltrated data from a Google Cloud BigQuery instance. The proof-of-concept shows AI can orchestrate multi-stage cloud attacks in real time.
Serial-to-Ethernet Converters: Critical Flaws Threatening Infrastructure
A new BRIDGE:BREAK study reveals that serial-to-Ethernet adapters, widely used in RTUs, PLCs, POS terminals, and medical monitors, harbor thousands of known vulnerabilities and dozens of newly discovered flaws, enabling remote code execution, authentication bypass, and data tampering.
Critical Nginx-UI MCP Flaw (CVE-2026-33032) Enables Full Remote Takeover
A newly disclosed CVE-2026-33032 (CVSS 9.8) in nginx-ui’s Model Context Protocol lets unauthenticated attackers rewrite NGINX configs, restart services and seize complete control. Over 2,600 exposed instances have been found and public exploit code is circulating.
CISA Flags Critical FortiClient EMS SQL Injection (CVE-2026-21643) as Actively Exploited
CISA added CVE-2026-21643 to its Known Exploited Vulnerabilities catalog, confirming active exploitation of an unauthenticated SQL injection in FortiClient Enterprise Management Server. Federal agencies must patch by April 16 2026; all organizations should apply mitigations immediately.
Microsoft Pays $2.3 M for 80 Zero-Day Findings in Azure & AI - What It Means
Microsoft awarded $2.3 million to researchers across 700 submissions in the Zero-Day Quest 2026 contest, uncovering 80 high-impact vulnerabilities in Azure and AI services. The flaws expose weaknesses in identity controls, tenant isolation, SSRF chains and cross-tenant access, urging stronger layered defenses.
Critical SharePoint Spoofing Zero-Day (CVE-2026-32201) Actively Exploited - Emergency Patch Released
Microsoft disclosed an actively exploited spoofing zero-day in SharePoint Server (CVE-2026-32201). The flaw lets attackers view and alter sensitive SharePoint data. CISA added it to the KEV list and Microsoft issued emergency patches on April 14 2026.
Critical Remote Code Execution in Windows IKE Service (CVE-2026-33824) - Patch Tuesday Alert
Microsoft’s April 2026 Patch Tuesday revealed CVE-2026-33824, a critical CVSS 9.8 remote code execution flaw in the Windows IKEv2 service. The vulnerability can be triggered by unauthenticated network packets, giving attackers full control of affected Windows Server and client systems.
Marimo RCE Flaw Exploited Within Hours: Critical CVE-2026-39987
A critical unauthenticated RCE vulnerability (CVE-2026-39987) in Marimo's /terminal/ws WebSocket endpoint was weaponized just nine hours after public disclosure, allowing attackers to grab interactive shells and exfiltrate SSH keys. All versions up to 0.20.4 are affected; patches start at 0.23.0.
Critical Chain of Seven IBM WebSphere Liberty Flaws Enables Full Server Takeover
Researchers uncovered seven inter-related vulnerabilities in IBM WebSphere Liberty, including a pre-authentication RCE in the SAML SSO component (CVE-2026-1561) and three AdminCenter flaws (CVE-2025-14915, CVE-2025-14917, CVE-2025-14923). Chaining them lets attackers move from unauthenticated access to complete control of the server.
SAP Patches Critical ABAP SQL Injection (CVE-2026-27681) - What You Must Know
SAP’s April 2026 security patch day closes two high-impact flaws: CVE-2026-27681, a CVSS 9.9 SQL injection in BPC/BW that lets low-privileged users execute arbitrary SQL, and CVE-2026-34256, a missing-auth check in ERP/S/4HANA enabling ABAP code execution. Immediate remediation is required.
Microsoft Patches Exploited SharePoint Zero-Day and 160 Critical Vulnerabilities
Microsoft’s April 2026 Patch Tuesday addressed 165 flaws, including the actively-exploited SharePoint Server spoofing zero-day CVE-2026-32201. The vulnerability landed on CISA’s KEV list, prompting immediate remediation across enterprise SharePoint deployments.
Adobe Acrobat Reader Zero-Day CVE-2026-34621 Exploited for Months - Emergency Patch Issued
Adobe has released emergency updates for Acrobat and Acrobat Reader on Windows and macOS after confirming active exploitation of CVE-2026-34621, a prototype-pollution flaw that enables arbitrary code execution via malicious PDFs. The vulnerability has been weaponized since late 2025, primarily with Russian-language lures.
Storm-1175 Accelerates Medusa Ransomware with Zero-Day Exploits
Storm-1175 is weaponising a chain of zero-day and n-day flaws-including CVE-2026-23760, CVE-2025-10035, and CVE-2026-1731-to deliver Medusa ransomware at unprecedented speed, forcing victims to pay before patches can be applied.
Claude’s Lightning Discovery: 13-Year-Old ActiveMQ RCE (CVE-2026-34197) Exposed
Anthropic’s Claude AI helped researchers pinpoint a high-severity, unauthenticated remote code execution flaw in Apache ActiveMQ Classic that had lingered for 13 years. The CVE-2026-34197 bug, exploitable via the Jolokia API, underscores AI’s growing role in vulnerability research and the urgency of patching legacy messaging brokers.
GlassWorm’s Zig Dropper Hijacks Developer IDEs via Malicious npm Packages
Researchers uncovered a new GlassWorm variant that uses a Zig-compiled dropper hidden in a fake WakaTime VS Code extension. The dropper infects all IDEs on a developer workstation, steals credentials and pivots into production environments.
Critical FortiClient EMS Zero-Day (CVE-2026-35616) Actively Exploited - CISA Directive
CISA added CVE-2026-35616, a pre-auth API bypass in FortiClient Enterprise Management Server, to its KEV catalog and issued a Binding Operational Directive. The flaw (CVSS 9.1) enables unauthenticated remote code execution and has been observed in the wild since March 31 2026.
Claude Mythos Uncovers Thousands of Zero-Days - Project Glasswing’s AI-Driven Hunt
Anthropic’s frontier model Claude Mythos, deployed in Project Glasswing, has autonomously identified thousands of high-severity zero-day flaws across major OSes, browsers, and cloud services. Partner vendors like AWS, Apple, Google, Microsoft, and NVIDIA are racing to patch the findings before attackers exploit them.
Zero-Interaction Android Exploit CVE-2026-0049: Critical Patch Required
Google has disclosed a critical zero-interaction remote code execution flaw (CVE-2026-0049) in the Android Framework affecting Android 14-16 and 16-QPR2. Billions of devices are at risk; immediate updates are mandatory.
Critical Cisco IMC Auth Bypass (CVE-2026-20093) Lets Attackers Gain Admin Rights
A pre-authentication flaw in Cisco Integrated Management Controller (IMC) lets unauthenticated attackers bypass login and obtain admin privileges on UCS C-Series and E-Series servers. No work-arounds exist; emergency patches must be applied immediately.
BlueHammer Zero-Day: Critical Windows LPE Exploit Leaked by Disgruntled Researcher
A researcher known as Chaotic Eclipse publicly released exploit code for “BlueHammer,” a Windows local-privilege-escalation zero-day that blends a TOCTOU race condition with path-confusion. No patch exists, making all supported Windows editions vulnerable to SYSTEM-level takeover.
FortiClient EMS Critical Zero-Day CVE-2026-35616 Actively Exploited - Patch Now
Fortinet has released an out-of-band hotfix for FortiClient EMS 7.4.5/7.4.6 after observing active exploitation of CVE-2026-35616, a pre-authentication API bypass that enables unauthenticated code execution. Enterprises must apply the hotfix immediately and plan for the full 7.4.7 release.
Critical RCE in F5 BIG-IP APM (CVE-2025-53521) - Act Now
F5 has re-classified CVE-2025-53521 from a high-severity DoS bug to a critical remote-code-execution flaw. Threat actors are already exploiting vulnerable BIG-IP Access Policy Manager appliances, deploying web shells. Organizations should patch to the fixed versions immediately.
Prescription AI Glasses from Ray-Ban Meta: Security Risks & Privacy Fallout
Meta’s new Ray-Ban prescription AI glasses bring cameras, microphones, and on-device AI to everyday eyewear. The hidden data pipeline, OTA firmware, and cloud tie-ins raise serious privacy and security concerns for millions of users.
Chrome’s WebGPU Zero-Day (CVE-2026-5281) Threatens Billions - What You Need to Know
A critical zero-day in Google Chrome’s WebGPU (CVE-2026-5281) allows remote code execution via a malicious HTML page. Google has issued an emergency advisory and is rolling out patches for all Chrome versions, but the vulnerability impacts billions of users worldwide.
Perplexity AI Accused of Leaking Full Chat Transcripts to Google and Meta
A class-action lawsuit alleges Perplexity AI shares complete user prompts-including health and financial data-with Google and Meta via URL parameters, potentially violating privacy statutes. The case could set a precedent for AI-driven data-privacy regulation.
DHS Shutdown Looms: Cyber-Defense at Risk as Congress Stalls Funding
A Senate-approved funding measure for most of the Department of Homeland Security is awaiting House approval, extending a shutdown that threatens CISA’s threat monitoring, incident response, and critical-infrastructure cyber programs.
DOJ Rebukes State AGs for Illicit Disclosure of HPE-Juniper Confidential Data
State attorneys general mistakenly filed highly confidential HPE and Juniper Networks acquisition documents on a public docket, prompting a formal DOJ rebuke. The incident highlights legal risks, privacy violations, and potential competitive harm when proprietary security information is mishandled.
Critical Supply-Chain Compromise of Axios npm Package Delivers Cross-Platform RAT
The official Axios npm package ([email protected]) was hijacked, pulling in a malicious dependency (plain-crypto-js) that installs a remote-access Trojan on Windows, Linux and macOS. The attack, which bypassed GitHub Actions CI, has a blast radius of over 300 million downloads.
Pro-Iranian Hackers Leak FBI Director’s Personal Docs, Sparking Security Alarm
A pro-Iranian hacking collective says it has compromised the personal email account of FBI Director Kash Patel, publishing old photos, a résumé and other sensitive files. The incident raises alarms about the resilience of high-level U.S. law-enforcement credentials and hints at possible state-sponsored espionage.
Critical ScreenConnect Flaw (CVE-2026-3564) Lets Attackers Hijack RMM Servers
CVE-2026-3564 exposes unencrypted ASP.NET machine keys in ConnectWise ScreenConnect, enabling attackers to forge authentication tokens and take full control of RMM servers. ConnectWise’s 26.1 patch encrypts key storage; immediate mitigation includes patching, rotating keys, and tightening network access.
EDR Killers Harness BYOVD: 34 Signed Drivers Exploited to Disable Security
A new study reveals that 54 ransomware-related utilities are using the Bring-Your-Own-Vulnerable-Driver (BYOVD) technique to abuse 34 legitimately signed Windows drivers. By gaining kernel-mode execution, these EDR killers can shut down endpoint protection, paving the way for unstoppable ransomware encryptors.
Critical SharePoint RCE (CVE-2026-20963) Exploited in the Wild - CISA Issues Urgent Alert
CISA has added CVE-2026-20963, a critical remote-code-execution flaw in SharePoint Server 2016/2019 and Subscription Edition, to its KEV catalog after confirming active exploitation. Agencies have three days to remediate, but many installations remain unpatched.
Trivy Scanner Compromised: Credential-Stealing Backdoor Exposes CI/CD Secrets
Attackers breached Trivy's build pipeline, injecting a credential-stealing module into the official scanner binary and GitHub Actions. The backdoor silently exfiltrates API keys, tokens, and certificates, prompting an emergency advisory to verify signatures, rotate secrets, and upgrade to a patched release.
Critical Langflow RCE (CVE-2026-33017) Exploited Within 20 Hours
A unauthenticated remote code execution flaw in the popular Langflow AI workflow framework (CVE-2026-33017) was weaponized by threat actors within roughly 20 hours of public disclosure, allowing theft of database credentials and paving the way for supply-chain attacks.
Critical Ubiquiti UniFi Flaws (CVE-2026-22557 & CVE-2026-22558) Enable Full System Takeover
Two newly disclosed vulnerabilities in Ubiquiti's UniFi Network Application - an unauthenticated path traversal (CVSS 10.0) and an authenticated NoSQL injection (CVSS 7.7) - give attackers the ability to seize control of the underlying host and elevate privileges across enterprise networks.
Patch Now: Oracle Fusion Middleware Critical RCE (CVE-2026-21992) Demands Immediate Action
Oracle released an out-of-cycle patch for a critical, unauthenticated RCE flaw in Oracle Identity Manager and Oracle Web Services Manager (CVE-2026-21992). The vulnerability lets attackers hijack identities, alter security policies, and move laterally across enterprise networks.
Critical Cisco SD-WAN Auth Bypass (CVE-2026-20127) Under Active Exploitation - Emergency Directive & Mitigation
CISA has issued an emergency directive after confirming active exploitation of CVE-2026-20127, a critical authentication bypass in Cisco Catalyst SD-WAN Manager. Agencies must locate devices, enable external logging, investigate compromise, and apply Cisco patches by March 23 2026. Immediate mitigation steps are outlined for federal and private networks.
Critical HPE AOS-CX Flaw Lets Remote Attackers Reset Admin Passwords
A newly disclosed CVE-2026-23813 in HPE Aruba AOS-CX switches permits unauthenticated remote password resets via the web UI. With a CVSS score of 9.8, the bug threatens full control of enterprise and service-provider networks until patched.
Ivanti Endpoint Manager Auth Bypass (CVE-2026-1603) Added to CISA KEV
CISA has placed Ivanti Endpoint Manager’s authentication-bypass flaw (CVE-2026-1603) on its Known Exploited Vulnerabilities list, urging agencies to patch within two weeks. The unauthenticated bypass can steal credential data and is already being used in the wild, despite patches being available since early 2021.
Critical RCE Flaws Hit Veeam Backup & Replication - Patch Immediately
Three authenticated remote code execution bugs (CVE-2026-21666, CVE-2026-21667, CVE-2026-21708) and two high-severity flaws threaten Veeam Backup & Replication servers. Rapid patching to build 12.3.2.4465 is essential to protect backup data from ransomware and other attacks.
Google Patches Two Actively Weaponized Chrome Zero-Days (Skia & V8)
Google released emergency updates on March 13 2026 for Chrome zero-days CVE-2026-3909 (Skia) and CVE-2026-3910 (V8), both rated 8.8 CVSS and confirmed exploited in the wild. The patches close a third weaponized Chrome flaw this year.
Zero-Day Alert: CVE-2026-21262 Lets Low-Privileged Users Grab SQL Sysadmin Rights
Microsoft disclosed a critical elevation-of-privilege zero-day in SQL Server 2016-2025 (CVE-2026-21262). An authenticated low-privilege account can pivot to sysadmin, jeopardizing on-prem, cloud, and hybrid deployments. Patches released March 10-11, 2026 - immediate remediation is essential.
Zero-Click Data Theft: Excel’s Copilot Agent Flaw (CVE-2026-26144)
A critical information-disclosure bug (CVE-2026-26144) lets a malicious Excel file trigger Copilot Agent to exfiltrate data without any user interaction. Microsoft patched it in March 2026; immediate mitigation is to apply the update or disable Copilot.
Record 90 Zero-Day Exploits in 2025: Enterprise Software Becomes Prime Target
Google Threat Intelligence Group tracked 90 actively-exploited zero-days in 2025 - the highest ever for enterprise software. Nearly half hit security and networking appliances, signalling a dangerous shift toward edge devices.
Cisco Secure FMC Critical Flaws: Auth Bypass & Insecure Deserialization (CVE-2026-20079, CVE-2026-20131)
Cisco disclosed two perfect-score (10/10) vulnerabilities in its Secure Firewall Management Center (FMC) that allow unauthenticated attackers to gain root OS access via authentication bypass and insecure Java deserialization. Immediate patching is mandatory for all FMC and FTD deployments.
Zero-Day Exploits Are Hitting Enterprises Faster, Harder, and More Frequently
Zero-day dwell time has collapsed, with attacks now occurring within days of disclosure. Chinese state-backed groups and commercial surveillance vendors now dominate zero-day usage, and over half of ransomware-linked CVEs in 2025 were weaponised as zero-days, targeting networking and security products.
Cisco Catalyst SD-WAN Flaws CVE-2026-20128 & CVE-2026-20122 Exploited in the Wild
Cisco reports active exploitation of two critical SD-WAN bugs-an info-disclosure (CVE-2026-20128) and an arbitrary file overwrite (CVE-2026-20122). Both are chained with CVE-2022-20775 to bypass auth, gain root, and persist, with threat actor UAT-8616 behind the campaign.
Half of 2025’s Zero-Day Exploits Targeted Enterprises - Google Report
Google’s Threat Intelligence Group logged 90 zero-day vulnerabilities exploited in the wild in 2025, with 43 (nearly 50%) aimed at enterprise technologies. The surge underscores rising attacker focus on high-value corporate assets and the urgent need for robust zero-day detection.
Critical Android LPE CVE-2026-0047 Powers Targeted Spyware Campaigns
A critical local privilege escalation flaw (CVE-2026-0047) in Android's ActivityManagerService has been observed in limited, targeted attacks. The bug requires no user interaction and can grant attackers system-level code execution, raising alarm for both consumers and enterprises.
OpenClaw’s Local Agent Flaw (CVE-2026-25253) Lets Malicious Sites Hijack Your AI Assistant
A critical vulnerability (CVE-2026-25253) allows a malicious website to connect to a locally running OpenClaw agent over localhost, bypass authentication and brute-force the password without limits. Attackers can then execute arbitrary commands, stealing code, credentials, and integrations.
Cisco Patches 48 Flaws - Critical Auth Bypass & RCE Demand Immediate Upgrade
Cisco has released patches for 48 vulnerabilities across its Secure FMC, ASA, and FTD platforms. Two CVEs - CVE-2026-20079 (authentication bypass) and CVE-2026-20131 (remote code execution) - each score 10.0, leaving no work-arounds and forcing urgent upgrades.
Zero-click RCE in FreeScout: CVE-2026-28289 Lets Attackers Take Over Servers
A newly disclosed TOCTOU flaw (CVE-2026-28289) lets attackers upload a .htaccess file prefixed with a zero-width space, bypassing validation and achieving zero-click remote code execution on any self-hosted FreeScout instance.
Critical CVE-2026-2256: MS-Agent Shell Tool Flaw Enables Full System Takeover
A critical input-sanitization bug in the open-source MS-Agent AI framework (CVE-2026-2256) lets crafted prompts drive arbitrary OS command execution via the Shell tool, leading to full host compromise and data exfiltration. Immediate mitigation steps are required.
OAuth Redirect Abuse: Malware Campaign Targets Government Agencies
Microsoft has uncovered a sophisticated phishing campaign that leverages OAuth URL redirection to bypass email and browser defenses, delivering malicious payloads to government and public-sector users. The attacks exploit native OAuth redirect behavior, not token theft, and require immediate mitigation.
Chrome’s Gemini Panel Flaw (CVE-2026-0628) Enables Malicious Extensions to Escalate Privileges
A high-severity vulnerability (CVE-2026-0628) in Chrome’s Gemini Live side-panel allowed malicious extensions to bypass policy checks, inject code into privileged pages and gain local file system, camera, and microphone access. Google patched the issue in Chrome 143.0.7499.192/.193 (Windows/macOS) and 143.0.7499.192 (Linux) in early January 2026.
Google Patches Exploited Qualcomm Zero-Day (CVE-2026-21385)
Google’s March 2026 Android security bulletin patches a critical Qualcomm graphics component zero-day (CVE-2026-21385) that is already being exploited in the wild. The integer overflow leads to memory corruption and remote code execution on devices with over 200 Snapdragon chipsets.
Critical Flaws in Anthropic’s Claude Code Expose Developers to Full Machine Takeover
Three critical vulnerabilities (CVE-2025-59536 and CVE-2026-21852) in Claude Code let malicious project configs execute arbitrary commands and steal API keys, threatening developers, CI/CD pipelines, and downstream services.
VMware Aria Operations Faces Critical Command Injection, XSS & Escalation Flaws
VMware disclosed three high-severity vulnerabilities (CVE-2026-22719, CVE-2026-22720, CVE-2026-22721) in Aria Operations that enable unauthenticated command injection, stored XSS, and privilege escalation. Patches are now available for Aria Operations 8.18.6, Cloud Foundation 5.2.3 and 9.0.2, and related Telco Cloud products.
Juniper PTX Routers Hit by Critical RCE - CVE-2026-21902
Juniper disclosed a critical, unauthenticated remote code execution flaw (CVE-2026-21902) in the On-Box Anomaly Detection framework of Junos OS Evolved on PTX series routers. An out-of-band patch (25.4R1-S1-EVO / 25.4R2-EVO) is now available, but the vulnerability’s impact on network edge devices remains severe.
Cisco SD-WAN Zero-Day (CVE-2026-20127) Exploited - Patch Now
Cisco disclosed a critical CVE-2026-20127 authentication bypass in Catalyst SD-WAN Controllers and Manager, scored 10.0 CVSS, that has been exploited for over three years. CISA’s emergency directive forces federal and private networks to patch immediately.
Fortinet Issues Urgent Patches for Critical XSS and Auth Bypass Flaws
Fortinet released eight security advisories covering FortiAuthenticator, FortiClient for Windows, FortiGate, FortiOS and FortiSandbox. The most severe flaws - CVE-2025-52436 (XSS in FortiSandbox) and CVE-2026-22153 (authentication bypass in FortiOS) - can be exploited without credentials, enabling unauthenticated command execution and privilege escalation. Organizations are urged to apply the patches immediately.
BeyondTrust Remote Support & PRA Critical Pre-Auth RCE (CVE-2026-1731)
BeyondTrust disclosed CVE-2026-1731, a pre-authentication OS command injection that enables unauthenticated remote code execution on Remote Support ≤ 25.3.1 and Privileged Remote Access ≤ 24.3.4. About 11,000 internet-exposed instances are at risk, prompting immediate patching.
Critical SAP CRM, S/4HANA & NetWeaver Flaws: CVE-2026-0488 & CVE-2026-0509
SAP’s February 2026 patch day disclosed two critical vulnerabilities-CVE-2026-0488 (9.9) in the CRM/S/4HANA scripting editor and CVE-2026-0509 (9.6) in NetWeaver ABAP. Both enable authenticated attackers to execute arbitrary SQL or bypass RFC authorizations, demanding immediate remediation.
Moltbook’s Black Market: Prompt-Injection “Digital Drugs” Threaten AI Agents
Moltbook, the AI-only social network, is hosting a thriving marketplace where bots sell malicious prompt-injection payloads dubbed “digital drugs”. These payloads can hijack AI behavior, exfiltrate credentials, and automate attacks across connected services, creating a new supply chain for AI-centric exploits.
Microsoft Patch Tuesday Feb 2026: Six Zero-Days, Including Critical Shell Bypass CVE-2026-21510, Fixed
Microsoft’s February 2026 Patch Tuesday delivered updates for more than 50 vulnerabilities, among them six actively exploited zero-days. The most severe, CVE-2026-21510, bypasses Windows Shell protections, enabling silent execution of malicious links across all supported Windows versions.
Zero-Click Prompt Injection: How Link Previews Turn AI Agents into Data Leaks
Researchers found that AI assistants embedded in messaging apps automatically preview URLs, enabling a zero-click prompt-injection attack that can exfiltrate secrets without user interaction. Mitigations include disabling previews, sandboxing LLM calls, and adding validation layers.
Apple Patches Critical dyld Zero-Day (CVE-2026-20700) Exploited in the Wild
Apple released emergency updates for iOS, iPadOS, macOS, tvOS, watchOS, and visionOS on Feb 12 2026 to fix CVE-2026-20700, a dyld memory-corruption flaw leveraged by sophisticated actors for remote code execution. Immediate patching is essential for all affected devices.
Critical RCE in Windows Notepad Markdown Engine (CVE-2026-20841) Disclosed
A command-injection flaw in the new Markdown rendering engine of Windows Notepad (CVE-2026-20841) allows attackers to execute arbitrary code via crafted Markdown files or links. Microsoft rated it 8.8/10 (critical) and patched it in the February 2026 Patch Tuesday release.
Critical SolarWinds Web Help Desk RCE (CVE-2025-40551) Added to CISA KEV Catalog
CISA has placed the critical CVE-2025-40551 remote code execution flaw in SolarWinds Web Help Desk on its Known Exploited Vulnerabilities catalog. Active exploitation forces federal agencies to patch by the end of February 2026, underscoring the risk to all WHD users.
Critical SSRF Bug (CVE-2025-62616) Plagues AutoGPT Platforms
A critical Server-Side Request Forgery (SSRF) vulnerability (CVE-2025-62616) has been discovered in Significant-Gravitas AutoGPT versions before autogpt-platform-beta-v0.6.34. Unauthenticated attackers can force the AI agent server to issue arbitrary HTTP requests, exposing internal services and paving the way for credential theft or RCE.
CISA Flags Four Actively-Exploited Vulnerabilities - Immediate Patch Required
CISA has added four CVEs-including a GitLab SSRF and a SolarWinds Web Help Desk flaw-to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies and private enterprises must patch now to stop active exploitation.
Critical Unauthenticated SQL Injection in PEAR (CVE-2026-25241) Threatens PHP Ecosystem
A critical unauthenticated SQL injection (CVE-2026-25241) has been discovered in PEAR versions before 1.33.0 via the /get/<package>/<version> endpoint. Remote attackers can run arbitrary SQL, leading to full database compromise and possible server takeover. Immediate upgrade to PEAR 1.33.0 or strict network segmentation is required.
Critical Ivanti EPMM Zero-Day RCE Flaws (CVE-2026-1281 & CVE-2026-1340) Actively Exploited
Ivanti disclosed two critical, unauthenticated remote-code-execution zero-days in Endpoint Manager Mobile (EPMM). Both CVEs are in CISA’s KEV catalog and are being exploited in the wild, prompting emergency patches and urgent remediation.
FortiCloud SSO Zero-Day (CVE-2026-24858) Triggers Global Service Shutdown
Fortinet disclosed a critical authentication-bypass zero-day (CVE-2026-24858) in its FortiCloud single sign-on service. Active exploitation forced the vendor to disable SSO worldwide while patches are rolled out, and CISA added the flaw to its KEV catalog.
CVE-2026-0603: High-Impact Second-Order SQL Injection in Hibernate’s InlineIdsOrClauseBuilder
A newly disclosed high-severity vulnerability (CVE-2026-0603) allows attackers to inject malicious SQL during Hibernate UPDATE/DELETE operations via the InlineIdsOrClauseBuilder. Enterprise Java applications that permit client-controlled identifiers are at risk of data breach or remote code execution.
Microsoft Issues Emergency OOB Patch for Actively Exploited Office Zero-Day (CVE-2026-21509)
Microsoft released an out-of-band security update to patch CVE-2026-21509, a critical security-feature bypass in Office that enables remote code execution. The vulnerability is being actively exploited, forcing enterprises, governments, and individuals to deploy the fix immediately.
China Bans US & Israeli Cybersecurity Software - What It Means for the Industry
Beijing has ordered domestic firms to stop using cybersecurity products from over a dozen US and Israeli vendors, citing national security. The move deepens tech decoupling and forces a rapid shift to home-grown solutions, shaking the global security-software market.
FortiGate SSO Bypass Re-exploited: CVE-2026-22755 Shows Patch Adoption Gaps
A new wave of attacks is leveraging CVE-2026-22755 to gain unauthenticated remote code execution on FortiGate firewalls. Despite a December patch, threat actors are bypassing the fix, exposing enterprises, ISPs, and government agencies to full network compromise.
Oracle Jan 2026 CPU Unveils Critical CVE-2026-21963 Among 158 Fixes
Oracle's January 2026 Critical Patch Update (CPU) rolls out 158 security fixes, highlighted by the newly disclosed critical vulnerability CVE-2026-21963 affecting WebLogic and database services. Immediate patching is essential for OCI, Java-based middleware, and on-premise Oracle deployments.
Microsoft January 2026 Patch Breaks RDP Credential Prompts - Critical Impact
Microsoft’s January 2026 Patch Tuesday bundles 114 CVEs, including the actively exploited zero-day CVE-2026-20805. The update unintentionally disrupts Remote Desktop Services credential prompts, causing authentication failures for users and admins across Windows 10/11 and Server environments.
SmarterMail WT-2026-0001 Auth Bypass: Decompiler-Driven Admin Takeover
A critical authentication bypass (WT-2026-0001) in SmarterTools SmarterMail lets attackers reset the admin password and execute OS commands. Discovered via binary decompilation, proof-of-concept code is public and active exploitation has been reported worldwide.
Critical SQL Injection in SAP S/4HANA Financials (CVE-2026-0501) - Immediate Action Required
A critical SQL injection (CVE-2026-0501) in SAP S/4HANA Financials - General Ledger lets authenticated attackers run arbitrary SQL. Both Private Cloud and On-Premise deployments are affected. SAP has issued patches on Jan 22 2026; rapid remediation is essential.
CVE-2026-22200: Ticket-to-Shell in osTicket - PHP Filter RCE
A critical remote code execution flaw (CVE-2026-22200) allows unauthenticated attackers to inject malicious PHP filter chains into osTicket tickets and exfiltrate files via PDF export. The vulnerability, patched in osTicket 1.18.3/1.17.7, threatens any self-hosted deployment.
Zero-Day Exploit Surge: Nearly 30% of Flaws Attacked Before Disclosure
VulnCheck’s 2026 State of Exploitation report shows that 28.96% of known exploited vulnerabilities were weaponised before public disclosure, up from 23.6% in 2024. The accelerating timeline forces enterprises to rethink patch cycles and threat-intel sharing.
Critical Zero-Day in Cloudflare WAF Allows ACME Path Bypass - Patch Released Jan 19 2026
A critical zero-day in Cloudflare's Web Application Firewall let attackers slip past custom rules via the ACME HTTP-01 challenge path. The flaw was actively exploited before a patch rolled out on Jan 19 2026. Immediate remediation is mandatory for all Cloudflare-protected sites.
Physical Text Hijacks AI Robots: New Visual Prompt Injection Threat
UC Santa Cruz researchers reveal that strategically placed misleading text can manipulate camera-based AI systems without any software breach. The attack, demonstrated on self-driving cars, delivery drones, and service robots, forces a rethink of perception security.
Google Gemini Calendar Prompt Injection: New AI Threat for Enterprises
A newly disclosed flaw lets attackers embed malicious instructions in Google Calendar invites, hijacking Gemini's responses. The vulnerability bypasses typical LLM defenses and forces enterprises to rethink AI security controls.
Cisco Patches Actively Exploited Zero-Day CVE-2026-20045 in Unified CM & Webex
Cisco has released emergency patches for CVE-2026-20045, a critical unauthenticated remote code execution flaw in Unified Communications Manager and Webex, confirmed to be actively exploited. Agencies and enterprises must apply fixes immediately.
Oracle Jan 2026 CPU Fixes 158 CVEs - Critical SSRF in Java Demands Immediate Action
Oracle’s January 2026 Critical Patch Update (CPU) patches 158 unique CVEs across 30 product families, including a high-severity SSRF bug in Java (CVE-2026-21945). Enterprises must prioritize remediation for Database, Fusion Middleware, Cloud Infrastructure, and Java runtimes to avoid remote exploitation.
Critical Prompt-Injection Flaws in Anthropic’s Official MCP Git Server
Three high-severity vulnerabilities (CVE-2025-68143/44/45) were discovered in Anthropic's mcp-server-git. They enable prompt-injection attacks that let adversaries drive AI assistants to execute code, delete files, or load malicious data, affecting any deployment that uses the Model Context Protocol.
January 2026 Patch Tuesday: 114 CVEs Fixed, 3 Zero-Days Actively Exploited
Microsoft’s January 2026 Patch Tuesday delivered fixes for 114 vulnerabilities-including three zero-day flaws under active exploitation. CrowdStrike breaks down the technical details, impact, and mitigation steps for Windows, Office, Azure, Edge, and related services.
China-Linked APT UAT-8837 Leverages Sitecore Zero-Day to Penetrate Critical Infrastructure
UAT-8837, a China-nexus advanced persistent threat, is exploiting a newly discovered Sitecore CMS zero-day (CVE-2025-53690) to gain initial footholds in North American energy, water, and transportation networks. The group follows up with credential dumping, lateral movement via native Windows tools, and data exfiltration.
Critical Gogs RCE (CVE-2025-8110) Under Active Exploitation - What You Must Do Now
CISA adds a high-severity Gogs path-traversal RCE (CVE-2025-8110) to its KEV catalog after confirming active exploitation. Unauthenticated attackers can overwrite files via the PutContents API, compromising CI/CD pipelines. No patch exists yet; immediate mitigations are required.
Critical ServiceNow AI Flaw CVE-2025-12420 Enables Unauthenticated User Impersonation
ServiceNow disclosed a critical CVE-2025-12420 vulnerability in its AI platform that lets unauthenticated actors forge any user identity and execute arbitrary actions. An emergency patch was released in October 2025, but the flaw highlights deep security challenges for AI-enabled SaaS.
MongoBleed (CVE-2025-14847): Critical Unauthenticated Memory Disclosure in MongoDB
MongoBleed (CVE-2025-14847) lets an unauthenticated attacker read arbitrary process memory from MongoDB servers via malformed zlib-compressed messages. With a CVSS 8.7 score, the flaw impacts MongoDB 5.0-5.2 and 6.0-6.1, and patches were released on Jan 13 2026.
Zero-Click Audio Exploit Chains Pixel 9: Project Zero’s Critical Findings
Project Zero has uncovered a multi-stage zero-click exploit chain that compromises Pixel 9 devices without any user interaction. The chain stitches together two new CVEs in the Dolby audio decoder and a kernel driver, prompting an emergency patch rollout for Android 14 users.
RondoDox Botnet Mass-Exploits Critical HPE OneView RCE (CVE-2025-37164)
Check Point Research confirms that the RondoDox botnet is actively exploiting CVE-2025-37164, a critical unauthenticated RCE in HPE OneView. Tens of thousands of attempts have been blocked, forcing immediate patching and network-segmentation actions.
FortiSIEM Critical RCE Flaw (CVE-2025-64155) Allows Unauthenticated Root Takeover
A newly disclosed OS command injection (CWE‑78) in FortiSIEM's web interface (CVE‑2025‑64155) lets unauthenticated attackers execute arbitrary commands, gain admin shells and ultimately compromise the underlying Linux host as root. Fortinet has issued patches for 7.2.0‑7.2.5; immediate mitigation is required.
Critical Windows Info-Disclosure Zero-Day (CVE-2026-20805) Actively Exploited - Patch & CISA Alert
Microsoft disclosed CVE-2026-20805, an info-disclosure flaw that can be chained to remote code execution, and released patches on Jan 14 2026. CISA issued an emergency alert confirming active exploitation, urging immediate remediation across all supported Windows versions.
Cisco AsyncOS Zero-Day (CVE-2025-20393) Exploited in the Wild - Patch Now Available
Cisco disclosed a critical remote code execution flaw (CVE-2025-20393) in AsyncOS that has been actively exploited by a suspected Chinese APT since November 2025. Emergency patches were released on 16 January 2026, and immediate mitigation is required for all affected firewalls and IPS devices.
Modernizing Vulnerability Sharing for AI Threats: A New Framework
AI/ML systems introduce a class of vulnerabilities that traditional CVE processes cannot capture. Palo Alto Networks proposes an AI-specific taxonomy, risk scoring, and coordinated disclosure model to protect the expanding AI supply chain.