BrewedIntel Vulnerabilities

Gladinet Triofox Server Agent Multiple Vulnerabilities

Ben Smith — Wed, 27 May 2026 19:11:55 GMT

AI Summary

Multiple critical vulnerabilities were disclosed in Gladinet Triofox Server Agent version 17.1.10488.57063, including missing authentication (CVE-2026-8364) allowing unauthenticated remote attackers to list, add, change, and delete files on the Triofox Drive; stack-based buffer overflows in WOSDeviceDropFolder.dll (CVE-2026-8363) and WOSDefaultHttpModule.dll (CVE-2026-8362) enabling remote code execution; a path traversal (CVE-2026-8361) for arbitrary file read; and two denial-of-service vulnerabilities (CVE-2026-8360, CVE-2026-8359) via NULL pointer dereference or NULL function pointer call. All vulnerabilities are remotely exploitable without authentication, pose severe risk of complete host compromise, sensitive data exposure, and service disruption, and require immediate patching and network segmentation.

Why do I care?

Attackers can exploit these CVEs without authentication to execute arbitrary code, access sensitive files, or crash the service, potentially leading to ransomware deployment or data theft.

What can I do about it?

Apply the vendor's security update immediately; restrict network access to TCP port 7878 to trusted hosts only; and monitor logs for unusual HTTP requests targeting /resources, /Settings, /profile, /woshome, /status, or /sysinfo.

Classification

Vulnerability, Critical Severity, Denial of Service, Missing Authentication for Critical Function, Path Traversal

Source

Source feed: Tenable Research Advisories | Original source

FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch

Arctic Wolf Labs — Wed, 27 May 2026 18:23:19 GMT

AI Summary

Arctic Wolf reports active exploitation of CVE-2026-35616 in FortiClient EMS to deploy EKZ Infostealer, a credential-stealing malware. The campaign abuses trusted endpoint management infrastructure to push the payload as a fake Fortinet patch. Execution is achieved via PowerShell, silently running the malicious executable. This infostealer collects credentials, posing a significant risk of lateral movement and privilege escalation. Organizations using FortiClient EMS should consider it compromised if unpatched and monitor for anomalous PowerShell activity.

Why do I care?

Exploitation of FortiClient EMS can lead to widespread credential theft across managed endpoints, compromising domain credentials and enabling lateral movement.

What can I do about it?

Apply the latest FortiClient EMS patches, monitor for suspicious PowerShell activity, and enforce application control to block unauthorized executables.

Classification

Vulnerability, High Severity, Credential Theft, Exploit

Source

Source feed: Arctic Wolf Labs | Original source

AI-Assisted Exploit Development Outpaces Scanner Detection

Elizabeth Montalbano — Wed, 27 May 2026 16:11:19 GMT

AI Summary

Recent research indicates that attackers are leveraging artificial intelligence to significantly accelerate the development of working exploits for vulnerabilities (CVEs). This AI-assisted approach outpaces traditional detection methods, enabling faster weaponization of known flaws. While specific exploits or campaigns are not yet identified, the trend underscores an evolving threat landscape where AI lowers barriers for exploit development, potentially increasing the frequency of attacks. Organizations should monitor for AI-generated exploit patterns and prioritize patch management.

Classification

Vulnerability, Medium Severity, Exploit Development

Source

Source feed: Dark Reading | Original source

Vulnerability in Popular Conference Software Granted Attackers a 100% Talk Acceptance Rate

Eduard Kovacs — Wed, 27 May 2026 14:30:00 GMT

AI Summary

Novee researchers discovered an account takeover vulnerability in the open-source conference management tool Pretalx. This flaw could allow an attacker to gain full control of a victim's account, potentially manipulating talk acceptances or accessing sensitive data. The vulnerability affects a widely used platform for managing call for papers, posing a significant risk to conference organizers and participants. Immediate action is recommended to apply patches or mitigations as soon as they become available to prevent exploitation.

Why do I care?

Account takeover in Pretalx could allow attackers to manipulate conference submissions, steal credentials, or gain unauthorized access to sensitive conference data.

What can I do about it?

Monitor for security updates from the Pretalx project and apply patches promptly. Implement additional security measures such as multi-factor authentication to reduce risk.

Classification

Vulnerability, High Severity, Account Takeover

Source

Source feed: SecurityWeek | Original source

MediaArea heap-based buffer overflow vulnerabilities

Kri Dontje — Wed, 27 May 2026 14:00:14 GMT

AI Summary

Cisco Talos disclosed four heap-based buffer overflow vulnerabilities (CVE-2026-25104, CVE-2026-25713, CVE-2026-28764, CVE-2026-22554) in MediaArea MediaInfoLib version 26.01. These flaws can be triggered by supplying a malicious media file, leading to arbitrary code execution. The vendor has released patches. Organizations should update to the latest version and deploy Snort rules to detect exploitation attempts.

Why do I care?

These vulnerabilities allow remote code execution via specially crafted media files, posing a critical risk to systems using MediaInfoLib.

What can I do about it?

Update MediaInfoLib to the latest patched version and apply Snort signatures from Cisco Talos to detect and block exploitation attempts.

Classification

Vulnerability, Critical Severity, Arbitrary Code Execution, Buffer Overflow

Source

Source feed: Cisco Talos Intelligence Group | Original source

Can you enforce strong Active Directory password rules without frustrating users?

Sponsored by Specops Software — Wed, 27 May 2026 14:00:10 GMT

AI Summary

The article discusses strategies for enforcing strong password policies in Active Directory without frustrating users. It highlights the use of passphrases, breached password protection, and self-service password resets to enhance security. While weak passwords are a common attack vector, the article does not detail a specific active threat. Instead, it provides guidance on improving password hygiene to mitigate credential theft and unauthorized access. Organizations are encouraged to adopt these practices to strengthen their security posture. The overall impact is positive, as it helps prevent common attacks such as password spraying and brute force attempts.

Classification

Vulnerability, Medium Severity, Brute Force, Credential Theft, Password Spraying

Source

Source feed: Bleeping Computer | Original source

CISA Adds Three Known Exploited Vulnerabilities to Catalog

CISA — Wed, 27 May 2026 12:00:00 GMT

AI Summary

CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-8398 in Daemon Tools Lite, CVE-2026-45321 in TanStack, and CVE-2026-48027 in Nx Console, all with evidence of active exploitation. These vulnerabilities pose significant risks to federal enterprises and are frequently used as attack vectors. CISA's BOD 22-01 mandates remediation by FCEB agencies, and all organizations are urged to prioritize patching these CVEs as part of their vulnerability management practices.

Why do I care?

These actively exploited vulnerabilities are added to CISA's KEV catalog, indicating significant risk and frequent use by attackers to compromise systems.

What can I do about it?

Immediately prioritize patching CVE-2026-8398, CVE-2026-45321, and CVE-2026-48027 in your environment, following the due dates specified in BOD 22-01 or sooner.

Classification

Vulnerability, High Severity, Known Exploited Vulnerability

Source

Source feed: CISA Current Activity | Original source

RevEng.AI Raises $15 Million to Hunt for Flaws and Backdoors in Software Binaries

Ionut Arghire — Wed, 27 May 2026 11:52:55 GMT

AI Summary

RevEng.AI has raised $15 million to develop BinNet, an AI model designed to identify vulnerabilities and backdoors in software binaries. This funding will enhance their ability to analyze released software for security flaws, potentially improving supply chain security. The article highlights the growing use of AI in vulnerability discovery.

Classification

Vulnerability, Low Severity

Source

Source feed: SecurityWeek | Original source

Gitea Vulnerability Exposes Private Container Images without Authentication

info@thehackernews.com (The Hacker News) — Wed, 27 May 2026 10:06:32 GMT

AI Summary

A critical vulnerability in Gitea (CVE-2026-27771) allows unauthenticated remote attackers to pull private container images from self-hosted Gitea deployments without any authentication. This flaw exposes sensitive data such as proprietary code, secrets, and credentials stored in container images, posing a significant risk of data breach and further compromise. The vulnerability affects all Gitea versions prior to 1.26.2. No CVSS score has been assigned, but the ease of exploitation and potential impact warrant immediate attention. Organizations using vulnerable Gitea instances should urgently upgrade to version 1.26.2 or later to mitigate the threat. No workarounds are currently available, making patching the only reliable defense.

Why do I care?

This vulnerability can lead to unauthorized access to private container images, potentially exposing sensitive intellectual property, credentials, and application secrets that could be leveraged for lateral movement and further attacks.

What can I do about it?

Immediately upgrade Gitea to version 1.26.2 or later. Additionally, restrict network access to Gitea instances, monitor for suspicious activity in container registries, and audit access logs for signs of exploitation.

Classification

Vulnerability, High Severity, Information Disclosure, Unauthorized Access

Source

Source feed: The Hacker News | Original source

CISA gives feds 4 days to patch actively exploited cPanel plugin flaw

Sergiu Gatlan — Wed, 27 May 2026 10:06:17 GMT

AI Summary

CISA has issued an emergency directive requiring U.S. federal agencies to patch a critical, actively exploited vulnerability in the LiteSpeed cPanel user-end plugin within four days. This vulnerability allows remote attackers to compromise servers, potentially leading to data breaches or service disruption. Organizations should immediately apply the patch and audit for signs of compromise.

Why do I care?

This critical vulnerability is actively exploited and could allow attackers full control of affected servers, enabling data theft, ransomware, or further network compromise.

What can I do about it?

Immediately apply the vendor-provided patch and scan for indicators of compromise. Ensure robust patch management and monitor for anomalous activity on affected systems.

Classification

Vulnerability, Critical Severity, Exploit

Source

Source feed: Bleeping Computer | Original source

CISA Urges Immediate Patching of Exploited LiteSpeed cPanel Plugin Zero-Day

Ionut Arghire — Wed, 27 May 2026 06:55:44 GMT

AI Summary

CISA has issued an urgent call for organizations to patch a zero-day vulnerability in the LiteSpeed cPanel plugin, which has been exploited in the wild to execute arbitrary scripts with root privileges. The vulnerability, which was resolved last week, allows attackers to gain full control over affected systems. Immediate patching is critical to prevent complete compromise of web servers.

Why do I care?

This zero-day allows remote attackers to execute code with root privileges, leading to full server compromise and potential lateral movement.

What can I do about it?

Apply the security update provided by the vendor immediately and review system logs for signs of exploitation.

Classification

Vulnerability, Critical Severity, Remote Code Execution, Zero-day Exploit

Source

Source feed: SecurityWeek | Original source

Anthropic Releases New Claude Sandbox, Security Guidance Plugin

Eduard Kovacs — Wed, 27 May 2026 06:43:08 GMT

AI Summary

Anthropic has released a new Claude Sandbox and Security Guidance Plugin that helps developers find and fix vulnerabilities while writing code. The tool has been used extensively internally at Anthropic, indicating its effectiveness in improving code security. This release is part of Anthropic's broader effort to enhance developer tools with AI-driven security features. The plugin aims to reduce the introduction of vulnerabilities during development, potentially lowering the risk of security incidents. While not a direct response to an active threat, it represents a proactive measure for secure coding practices.

Classification

Vulnerability, Low Severity

Source

Source feed: SecurityWeek | Original source

Continuous Offensive Security: The Line We've Been Walking

Wed, 27 May 2026 04:00:00 GMT

AI Summary

The article describes Snyk's Continuous Offensive Security, an approach that integrates DAST, AI pentesting, and agent red teaming to identify exploitable flaws. It is a product overview, not a report on a specific threat, vulnerability, or attack. No actionable threat intelligence is provided.

Classification

Vulnerability, Low Severity

Source

Source feed: Snyk Blog | Original source

KnowledgeDeliver flaw exploited as a zero-day to install web shells

Ionut Ilascu — Tue, 26 May 2026 20:07:31 GMT

AI Summary

Attackers exploited a critical zero-day vulnerability in the KnowledgeDeliver learning management system to deploy the Godzilla web shell, enabling persistent remote access. The vulnerability allows unauthenticated code execution, posing a severe risk to affected servers. Immediate patching and monitoring for web shell activity are recommended.

Why do I care?

This zero-day in a widely used LMS could allow attackers to gain persistent access to sensitive educational data and internal networks.

What can I do about it?

Apply vendor patches immediately, monitor for Godzilla web shell indicators, and restrict internet exposure of LMS servers.

Classification

Vulnerability, Critical Severity, Web Shell Deployment, Zero-Day Exploitation

Source

Source feed: Bleeping Computer | Original source

Delta Electronics DIAView Patch Bypass

Ben Smith — Tue, 26 May 2026 19:14:41 GMT

AI Summary

A mitigation bypass for CVE-2025-62582 in Delta Electronics DIAView allows unauthenticated remote attackers to access configured databases. The incomplete fix means systems remain vulnerable to unauthorized database access, posing a critical risk to industrial environments. Immediate patch verification and network segmentation are advised.

Why do I care?

This vulnerability exposes sensitive industrial databases to remote attackers without authentication, enabling data theft or disruption.

What can I do about it?

Verify the DIAView installation has the latest complete patch, restrict network access to DIAView services, and monitor for unauthorized database queries.

Classification

Vulnerability, Critical Severity, Unauthenticated Remote Database Access

Source

Source feed: Tenable Research Advisories | Original source

For Enterprises, Security Remains Agentic AI's Biggest Challenge

Robert Lemos — Tue, 26 May 2026 19:12:52 GMT

AI Summary

The article highlights that while every company needs an agentic AI strategy, the security tools necessary for safe adoption are only beginning to emerge. It emphasizes that agentic AI presents a significant challenge for enterprise security, but does not detail specific threats, attacks, or mitigation steps. The piece serves as a general advisory on the state of AI security readiness.

Classification

Vulnerability, Medium Severity

Source

Source feed: Dark Reading | Original source

Microsoft Issues Out-of-Band SharePoint Patch

Jai Vijayan — Tue, 26 May 2026 18:25:44 GMT

AI Summary

Microsoft has issued an out-of-band patch for a critical vulnerability in SharePoint. This vulnerability could allow attackers to gain elevated access, potentially compromising sensitive data. Organizations should apply the patch immediately.

Why do I care?

SharePoint often contains sensitive corporate data, making it a prime target for attackers.

What can I do about it?

Apply the out-of-band patch as soon as possible and review access controls to mitigate risk.

Classification

Vulnerability, Critical Severity, Remote Code Execution

Source

Source feed: Dark Reading | Original source

AppOmni’s Marlin AI Brings Autonomous Investigation to SaaS Security

Kevin Townsend — Tue, 26 May 2026 14:00:00 GMT

AI Summary

AppOmni launched Marlin AI, an autonomous investigation tool for SaaS security that analyzes misconfigurations, correlates activity across enterprise environments, and provides remediation recommendations without full automation.

Classification

Vulnerability, Low Severity

Source

Source feed: SecurityWeek | Original source

State of SDLC Security 2026: How Risk Scales in Modern Development

Wiz Threat Research — Tue, 26 May 2026 12:45:02 GMT

AI Summary

This article provides a high-level overview of current trends in software development lifecycle (SDLC) security, focusing on how code, developer tooling, automation, and artificial intelligence are influencing application security. It does not detail specific threats, incidents, or vulnerabilities but rather discusses the evolving risk landscape in modern development environments. The content is generic and lacks actionable threat intelligence or concrete mitigation advice.

Classification

Vulnerability, Low Severity

Source

Source feed: Wiz Security Research | Original source

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Tue, 26 May 2026 12:00:00 GMT

AI Summary

CISA added CVE-2026-48172, a privilege escalation vulnerability in the LiteSpeed cPanel plugin, to its Known Exploited Vulnerabilities catalog due to active exploitation. This flaw poses significant risks to federal enterprises and is a frequent vector for malicious actors. CISA mandates remediation for federal agencies under BOD 22-01 and urges all organizations to prioritize patching this and other KEV-listed vulnerabilities to reduce exposure to cyberattacks.

Why do I care?

This actively exploited privilege escalation vulnerability in the LiteSpeed cPanel plugin can allow attackers to gain elevated access, posing significant risk to servers running cPanel.

What can I do about it?

Immediately apply the vendor-provided patch for CVE-2026-48172 and prioritize remediation of all vulnerabilities in CISA's KEV catalog as part of your vulnerability management program.

Classification

Vulnerability, High Severity, Privilege Escalation

Source

Source feed: CISA Current Activity | Original source

Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions

info@thehackernews.com (The Hacker News) — Tue, 26 May 2026 11:49:53 GMT

AI Summary

Microsoft has released patches for CVE-2026-45659, a critical remote code execution vulnerability in SharePoint Server with a CVSS score of 8.8. The flaw allows unauthenticated attackers to execute arbitrary code without special conditions, posing a significant risk to enterprise environments. Organizations are urged to apply the updates immediately to prevent potential compromise.

Why do I care?

This unauthenticated RCE vulnerability in SharePoint could allow attackers to take full control of affected servers, leading to data theft or ransomware deployment.

What can I do about it?

Prioritize applying the latest security patches from Microsoft for all affected SharePoint versions; consider network segmentation and access controls as interim mitigations.

Classification

Vulnerability, High Severity, Remote Code Execution

Source

Source feed: The Hacker News | Original source

Anthropic Expands Claude’s Enterprise Security Governance With 28 New Integrations

Eduard Kovacs — Tue, 26 May 2026 11:44:53 GMT

AI Summary

Anthropic has expanded Claude's enterprise security governance capabilities through 28 new integrations with leading cybersecurity vendors. Notable partners include CrowdStrike, Palo Alto Networks, Microsoft, Okta, Zscaler, Netskope, Cloudflare, Fortinet, and Wiz. These integrations aim to strengthen Claude's security posture and provide enterprises with better governance tools. While no specific threats are disclosed, the announcement underscores the growing importance of AI security in enterprise environments. The integrations cover key areas such as endpoint protection, network security, identity management, and cloud security. This move highlights the trend of embedding AI assistants into broader security ecosystems to enhance threat detection and response.

Classification

Vulnerability, Low Severity

Source

Source feed: SecurityWeek | Original source

Hackers Exploited KnowledgeDeliver Zero-Day for Web Shell Deployment

Ionut Arghire — Tue, 26 May 2026 11:14:31 GMT

AI Summary

Hackers have been actively exploiting a zero-day vulnerability in KnowledgeDeliver, leveraging hardcoded machineKey values in its configuration file to perform ViewState deserialization attacks. This enables remote code execution and subsequent web shell deployment on affected servers. The attack grants persistent access and control over compromised systems, posing a significant threat to organizations using the software. To mitigate, administrators should apply available patches, replace hardcoded keys with cryptographically random values, and enforce ViewState integrity checks. Immediate investigation for signs of compromise is recommended.

Why do I care?

This zero-day allows attackers to achieve remote code execution and deploy web shells, giving them persistent access to critical infrastructure. Any organization using KnowledgeDeliver is at risk of complete compromise.

What can I do about it?

Apply security patches immediately, rotate hardcoded machineKey values to secure random keys, and enable ViewState tamper detection. Conduct a thorough review for signs of web shell activity.

Classification

Vulnerability, Critical Severity, Remote Code Execution, Web Shell Deployment

Source

Source feed: SecurityWeek | Original source

Open Source DockSec Uses AI to Cut Through Vulnerability Noise in Docker Images

Mike Lennon — Tue, 26 May 2026 10:45:00 GMT

AI Summary

DockSec, an OWASP incubator project, is an open-source tool that aggregates findings from multiple container security scanners and leverages AI to produce plain-English remediation guidance and exact Dockerfile fixes. It aims to reduce the noise from vulnerability reports, helping developers prioritize and address issues efficiently. The tool is designed to improve container security by automating the correlation of scan results and providing actionable insights. No specific threats or malware are mentioned in the article.

Classification

Vulnerability, Low Severity

Source

Source feed: SecurityWeek | Original source

AI Threat Landscape Digest March-April 2026

matthewsu — Tue, 26 May 2026 10:09:59 GMT

AI Summary

The March-April 2026 AI Threat Landscape Digest reveals that offensive AI operations have advanced to real-time autonomous deployment across criminal and state-sponsored actors. Notably, a financially motivated operator breached nine Mexican government agencies using Claude Code for exploitation and GPT-4.1 for intelligence analysis, stealing tax records, civil registry data, and patient files. The attacker weaponized agentic configuration files (e.g., CLAUDE.md) as persistent jailbreak vectors. Key findings include AI-orchestrated attacks moving to criminal use, commercialization of AI attack platforms, and large-scale harvesting of AI provider API keys. This evolution underscores the urgent need for organizations to secure AI credentials and monitor for AI-driven intrusion patterns.

Why do I care?

AI-powered attacks are now operational, enabling adversaries to automate exploitation and rapidly compromise critical infrastructure, as demonstrated by the sustained breach of multiple government agencies.

What can I do about it?

Secure API keys for AI services as high-value assets, enforce strict access controls on agentic configuration files, and deploy monitoring to detect anomalous AI model usage patterns indicative of compromise.

Classification

Vulnerability, High Severity, Data Theft, Espionage, Ransomware

Source

Source feed: Check Point Research | Original source

CERT-In Mandates 12-Hour Patching for Internet-Facing Flaws Amid AI-Assisted Attacks

info@thehackernews.com (The Hacker News) — Tue, 26 May 2026 09:13:02 GMT

AI Summary

CERT-In has issued guidelines requiring organizations to patch critical vulnerabilities in internet-exposed systems within 12 hours, citing the increasing use of AI and LLMs by threat actors to automate exploitation. The mandate aims to reduce the window of exposure and prevent large-scale automated attacks. Organizations must prioritize patching and establish rapid response workflows to comply.

Why do I care?

Organizations with internet-facing systems face elevated risk as adversaries leverage AI to exploit known vulnerabilities at scale. Delayed patching increases exposure to automated attacks.

What can I do about it?

Implement automated vulnerability scanning and patching systems to meet the 12-hour window. Monitor CERT-In advisories and prioritize critical flaws in internet-exposed assets.

Classification

Vulnerability, High Severity, Vulnerability Exploitation

Source

Source feed: The Hacker News | Original source

CISA orders feds to patch actively exploited Drupal vulnerability

Sergiu Gatlan — Tue, 26 May 2026 08:46:45 GMT

AI Summary

CISA has mandated that U.S. federal agencies patch a critical SQL injection vulnerability in Drupal CMS by Wednesday, citing active exploitation. The vulnerability could allow attackers to compromise vulnerable servers. This directive underscores the urgency and potential impact on government networks, and all organizations using Drupal should prioritize patching.

Why do I care?

This vulnerability is actively exploited in the wild, allowing attackers to gain unauthorized access to Drupal-based servers, potentially leading to data breaches or full compromise.

What can I do about it?

Apply the latest Drupal security update immediately. If immediate patching is not possible, implement virtual patching or additional Web Application Firewall (WAF) rules to mitigate SQL injection attempts.

Classification

Vulnerability, Critical Severity, Exploitation of Vulnerability

Source

Source feed: Bleeping Computer | Original source

Third-Party Cyberattack Impacts Patient Information at The Oncology Institute

Pierluigi Paganini — Tue, 26 May 2026 05:25:00 GMT

AI Summary

The Oncology Institute disclosed a data breach stemming from a third-party software provider, likely Cognizant's TriZetto, which exposed sensitive patient information including names, addresses, Social Security numbers, and health data. The incident, discovered in November 2025 and confirmed in May 2026, affected over 3.4 million patients and may involve other healthcare providers. No ransomware group has claimed responsibility, and the attackers remain unidentified. The breach originated from unauthorized access to a web portal used for insurance eligibility verification. Financial data was not compromised, and no related fraud has been reported. The Oncology Institute and TriZetto have implemented additional security measures. This incident underscores the risk of third-party vulnerabilities in healthcare, demanding robust vendor oversight and continuous monitoring to protect patient data.

Why do I care?

Healthcare data breaches expose highly sensitive personal and medical information, leading to identity theft, regulatory penalties, and loss of patient trust; third-party vendors can be a weak link in your security chain.

What can I do about it?

Conduct thorough security assessments of all third-party vendors, enforce strict data access controls, and implement continuous monitoring for unauthorized activity; also, ensure incident response plans include vendor compromise scenarios.

Classification

Vulnerability, High Severity, Data Breach

Source

Source feed: Security Affairs (Data Breach) | Original source

KnowledgeDeliver LMS Flaw Exploited to Deploy Godzilla and Cobalt Strike

info@thehackernews.com (The Hacker News) — Tue, 26 May 2026 05:19:38 GMT

AI Summary

A high-severity zero-day vulnerability (CVE-2026-5426, CVSS 7.5) in Digital Knowledge KnowledgeDeliver LMS, popular in Japan, was exploited to deploy the Godzilla web shell and subsequently Cobalt Strike Beacon. The flaw stems from hard-coded ASP.NET machine keys, enabling remote code execution. Organizations using this LMS should prioritize patching to prevent full compromise.

Why do I care?

Unpatched vulnerabilities in internal-facing applications like LMS can be leveraged for initial access and deployment of advanced persistent threats.

What can I do about it?

Apply the vendor patch immediately and review machine key rotation practices to prevent similar flaws.

Classification

Vulnerability, High Severity, C2 Framework, Web Shell

Source

Source feed: The Hacker News | Original source

Anthropic’s restricted Claude Mythos model may be coming to Claude Code

Mayank Parmar — Mon, 25 May 2026 17:07:33 GMT

AI Summary

Anthropic is preparing to roll out the restricted Claude Mythos model to Claude Code, raising concerns about major security risks to both private and public software. The model, announced in April, is intended to be limited but its integration into a developer tool could be exploited by adversaries to generate malicious code, automate attacks, or bypass security controls. The primary impact is an increased threat surface for software supply chains and development environments. Mitigation relies on Anthropic's restrictions and developer vigilance in vetting AI-generated outputs.

Why do I care?

The Mythos model's release in Claude Code could empower adversaries to generate sophisticated malware or automate attacks, directly threatening software integrity and security.

What can I do about it?

Enforce strict review of all AI-generated code, implement behavioral analysis for anomalies, and consider limiting use of such models until risks are fully assessed.

Classification

Vulnerability, High Severity, AI Model Risk

Source

Source feed: Bleeping Computer | Original source

25th May – Threat Intelligence Report

urias — Mon, 25 May 2026 15:08:40 GMT

AI Summary

This week's threat intelligence report covers multiple high-impact incidents. ShinyHunters breached 7-Eleven, stealing over 600,000 Salesforce records. GitHub suffered a breach via a weaponized VS Code extension, exfiltrating 3,800 internal repositories. Grafana Labs also experienced a breach but refused ransom. The FBI warned about Kali365, a phishing kit targeting Microsoft 365 with device-code phishing that bypasses MFA. AI threats include campaigns compromising nine Mexican government agencies and a Russian actor using AI for propaganda and credential theft. Critical vulnerabilities include actively exploited Windows Defender flaws, Trend Micro Apex One directory traversal, and Drupal SQL injection under active mass attack. Threat intelligence reveals Nimbus Manticore (IRGC-linked) using SEO poisoning to deliver MiniFast backdoor, a 124% surge in hacktivism and ransomware in Germany, Austria, and Switzerland, Showboat Linux malware targeting telecoms, and a Laravel supply chain attack. Patching, multi-factor authentication, and monitoring for token theft are critical mitigations.

Why do I care?

Defenders should be concerned about the breadth of attacks including supply chain compromise, AI-driven phishing, and rapid exploitation of critical vulnerabilities, which pose significant risks to organizational security and data integrity.

What can I do about it?

Prioritize patching for Windows Defender, Trend Micro Apex One, and Drupal; implement phishing-resistant MFA; monitor for OAuth token abuse; restrict access to GitHub and CI/CD pipelines; and review AI email filters for injection evasion.

Classification

Vulnerability, High Severity, Data Breach, Exploit, Phishing

Source

Source feed: Check Point Research | Original source

Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability

Google Threat Intelligence Group — Mon, 25 May 2026 14:00:00 GMT

AI Summary

Mandiant investigated a critical vulnerability (CVE-2026-5426) in KnowledgeDeliver LMS, allowing unauthenticated Remote Code Execution via ViewState deserialization due to hardcoded ASP.NET machine keys. An unknown threat actor exploited this to deploy the BLUEBEAM in-memory web shell, tamper with files, and trick users into downloading a fake installer, leading to Cobalt Strike BEACON backdoor infections. Impact includes full server compromise and potential user infection. Immediate remediation requires rotating machine keys, restricting access, and monitoring for indicators such as Event ID 1316, suspicious process launches from w3wp.exe, and file changes. This incident underscores the severe risk of shared secrets in deployment templates.

Why do I care?

This vulnerability enables unauthenticated remote code execution, allowing attackers to compromise the web server and infect all visitors with malware, resulting in extensive breach of sensitive data and systems.

What can I do about it?

Immediately generate and apply unique cryptographically strong machine keys for each KnowledgeDeliver instance, restrict LMS access to trusted IP ranges, and conduct thorough threat hunting using the provided IOCs and event log patterns.

Classification

Vulnerability, Critical Severity, Backdoor, Remote Code Execution, Web Shell

Source

Source feed: Mandiant Frontline Blog | Original source

Ghost CMS Vulnerability Exploited to Hack Over 700 Websites

Eduard Kovacs — Mon, 25 May 2026 13:27:12 GMT

AI Summary

An unidentified Ghost CMS vulnerability was exploited to compromise over 700 websites, including those of major universities like Harvard and Oxford, as well as DuckDuckGo. The attack leveraged a public-facing application vulnerability to gain unauthorized access, potentially resulting in defacement or data theft. The widespread impact underscores the critical need for prompt patching of content management systems. While details on the specific attack vector remain limited, organizations using Ghost CMS should prioritize updates and implement web application firewall rules to mitigate exploitation risk.

Why do I care?

A critical vulnerability in Ghost CMS is actively being exploited, leading to compromise of high-profile websites; defenders must act quickly to prevent their sites from being hacked.

What can I do about it?

Immediately patch Ghost CMS to the latest version, review server logs for signs of exploitation, and enable Web Application Firewall (WAF) rules to block common exploit patterns.

Classification

Vulnerability, High Severity, Exploit

Source

Source feed: SecurityWeek | Original source

Drupal Core SQL injection Vulnerability Added to CISA KEV (CVE-2026-9082)

Diksha Ojha — Mon, 25 May 2026 12:06:39 GMT

AI Summary

A critical SQL injection vulnerability (CVE-2026-9082) in Drupal Core has been added to CISA's Known Exploited Vulnerabilities catalog. This flaw affects sites using PostgreSQL databases and can be exploited by anonymous users, potentially leading to privilege escalation and remote code execution. Drupal reported active exploitation in the wild. Affected versions include Drupal 8.9 through 11.3.x. CISA has set a patching deadline of May 27, 2026. Organizations running Drupal with PostgreSQL should immediately upgrade to the latest patched versions (e.g., 11.3.10, 10.6.9) or apply manual patches for unsupported branches. Qualys QID 734308 is available for detection.

Why do I care?

This vulnerability is actively exploited in the wild and can allow unauthenticated attackers to achieve remote code execution, potentially leading to full server compromise without any user interaction.

What can I do about it?

Immediately apply the patched Drupal versions (11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, 10.4.10) or manual patches for Drupal 9.5 and 8.9. For PostgreSQL deployments, prioritize this patch as the highest urgency.

Classification

Vulnerability, Critical Severity, Privilege Escalation, Remote Code Execution, SQL Injection

Source

Source feed: Qualys ThreatPROTECT | Original source

Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks

info@thehackernews.com (The Hacker News) — Mon, 25 May 2026 12:02:46 GMT

AI Summary

Threat actors are actively exploiting a critical SQL injection vulnerability (CVE-2026-26980, CVSS 9.4) in Ghost CMS to inject malicious JavaScript and launch ClickFix attacks. According to QiAnXin XLab, over 700 websites have been compromised. The vulnerability allows unauthenticated attackers to read arbitrary data from the Content API and inject scripts. Organizations using Ghost CMS should prioritize patching to prevent site hijacking and data theft.

Why do I care?

This vulnerability allows unauthenticated attackers to inject malicious scripts into Ghost CMS sites, leading to widespread compromise and potential data breaches.

What can I do about it?

Immediately apply the security patch for CVE-2026-26980 and ensure Ghost CMS is updated to the latest version. Monitor for signs of JavaScript injection or unauthorized access.

Classification

Vulnerability, Critical Severity, SQL Injection, Website Hijacking

Source

Source feed: The Hacker News | Original source

266,000 Affected by Data Breach at Radiology Associates of Richmond

Ionut Arghire — Mon, 25 May 2026 11:17:07 GMT

AI Summary

Radiology Associates of Richmond suffered a data breach affecting 266,000 individuals, with threat actors stealing names and protected health information from their systems. The incident underscores the persistent risk to healthcare organizations handling sensitive personal data. Immediate steps include notifying affected individuals, offering credit monitoring, and reviewing access controls to prevent future breaches.

Classification

Vulnerability, High Severity, Data Breach

Source

Source feed: SecurityWeek | Original source

Anthropic: Mythos Detected 23,000 Potential Vulnerabilities Across 1,000 OSS Projects

Eduard Kovacs — Mon, 25 May 2026 10:58:07 GMT

AI Summary

Anthropic's Mythos tool detected 23,000 potential vulnerabilities across 1,000 open source projects, with many confirmed as critical or high-severity. This large-scale discovery indicates a significant security challenge for organizations using OSS components, as these vulnerabilities can be easily exploited if left unpatched. The expected increase in findings underscores the need for continuous vulnerability scanning and proactive patch management to reduce attack surface. The report serves as a reminder of the importance of securing the open source supply chain.

Why do I care?

The vulnerabilities discovered by Mythos directly impact the security posture of any organization using the affected open source components, potentially allowing attackers to gain initial access or execute code.

What can I do about it?

Conduct immediate inventory of OSS dependencies, apply patches for verified critical vulnerabilities, and implement automated scanning tools in the CI/CD pipeline to catch future flaws.

Classification

Vulnerability, High Severity, Vulnerability Discovery

Source

Source feed: SecurityWeek | Original source

Wireshark 4.6.6 Released, (Sun, May 24th)

Sun, 24 May 2026 16:38:21 GMT

AI Summary

Wireshark 4.6.6 has been released, addressing one vulnerability and 11 bugs. The blog post does not provide detailed information about the vulnerability or its potential impact. Wireshark users are recommended to update to the latest version to maintain security.

Classification

Vulnerability, Medium Severity

Source

Source feed: SANS Internet Storm Center | Original source

Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign

Bill Toulas — Sun, 24 May 2026 14:12:32 GMT

AI Summary

A large-scale campaign is actively exploiting a critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS, a popular content management system. Attackers inject malicious JavaScript that initiates ClickFix attack flows, potentially leading to site compromise, user redirection to phishing pages, or malware delivery. The vulnerability allows unauthenticated attackers to execute arbitrary SQL queries, enabling them to insert malicious code into database fields. Organizations using Ghost CMS should immediately apply patches, validate input, and monitor for suspicious activity. The impact includes data breaches, reputational damage, and potential cascading attacks on visitors.

Why do I care?

This critical SQL injection flaw in Ghost CMS enables attackers to inject persistent malicious JavaScript, compromising website integrity and exposing visitors to phishing or malware.

What can I do about it?

Immediately update Ghost CMS to the latest patched version, implement web application firewall rules to block SQL injection attempts, and audit website files for unauthorized modifications.

Classification

Vulnerability, Critical Severity, Malicious JavaScript, SQL Injection

Source

Source feed: Bleeping Computer | Original source

Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software

info@thehackernews.com (The Hacker News) — Sat, 23 May 2026 11:55:35 GMT

AI Summary

Anthropic's Project Glasswing, a cybersecurity initiative leveraging AI, has uncovered over 10,000 high- or critical-severity vulnerabilities in systemically important software worldwide. Launched last month with approximately 50 partners, the project aims to identify and mitigate security flaws in widely used applications. The scale and severity of these vulnerabilities pose significant risks to global cybersecurity, potentially enabling widespread exploitation if not addressed. Organizations relying on affected software must prioritize patching and enhance their vulnerability management processes to defend against potential attacks. The findings underscore the growing role of AI in proactive threat discovery and the urgent need for collaborative security efforts in the software supply chain.

Why do I care?

These 10,000+ high-severity vulnerabilities affect widely used critical software, creating a broad attack surface that could be exploited by adversaries for initial access or system compromise.

What can I do about it?

Immediately inventory and patch affected software based on vendor advisories, and implement robust vulnerability scanning and patch management processes to mitigate risks.

Classification

Vulnerability, Critical Severity, Vulnerability Discovery

Source

Source feed: The Hacker News | Original source

‘Underminr’ Vulnerability Lets Attackers Hide Malicious Connections Behind Trusted Domains

Ionut Arghire — Sat, 23 May 2026 11:00:00 GMT

AI Summary

The newly discovered 'Underminr' vulnerability affects an estimated 88 million domains, enabling attackers to bypass DNS filtering and conceal command-and-control traffic behind trusted domains. This attack vector undermines a core security control, increasing the risk of persistent, undetected compromise. Organizations must reassess their DNS security posture and monitor for anomalous DNS resolutions to detect and mitigate exploitation. No patch has been announced, so immediate detection and mitigation strategies are critical.

Why do I care?

Attackers can exploit this vulnerability to hide C2 traffic within legitimate domain resolutions, bypassing DNS-based defenses and evading detection for extended periods.

What can I do about it?

Strengthen DNS logging and monitoring for unusual patterns, implement DNS-layer threat intelligence, and restrict outbound DNS traffic to authorized resolvers only.

Classification

Vulnerability, High Severity, DNS Spoofing, Filter Bypass

Source

Source feed: SecurityWeek | Original source

LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root

info@thehackernews.com (The Hacker News) — Sat, 23 May 2026 07:35:13 GMT

AI Summary

A critical privilege assignment vulnerability in the LiteSpeed cPanel Plugin (CVE-2026-48172, CVSS 10.0) is being actively exploited. The flaw allows any cPanel user, including compromised accounts or attackers, to execute arbitrary scripts with root privileges, leading to full server compromise. Immediate patching and monitoring are essential.

Why do I care?

This vulnerability enables attackers to gain root access, potentially compromising the entire server and all hosted data.

What can I do about it?

Apply the vendor patch immediately, restrict cPanel user permissions, and monitor for unauthorized script execution or privilege escalation attempts.

Classification

Vulnerability, Critical Severity, Privilege Escalation, Remote Code Execution

Source

Source feed: The Hacker News | Original source

Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV

info@thehackernews.com (The Hacker News) — Sat, 23 May 2026 07:23:48 GMT

AI Summary

CISA added a critical Drupal Core SQL injection vulnerability (CVE-2026-9082) to its Known Exploited Vulnerabilities catalog due to active exploitation. The flaw affects all supported Drupal versions and allows unauthenticated attackers to execute arbitrary SQL queries. Organizations using Drupal should prioritize patching as exploitation can lead to data theft, privilege escalation, or further compromise. Immediate mitigation includes applying the security update released by Drupal and reviewing logs for signs of compromise.

Why do I care?

This actively exploited SQL injection vulnerability poses a significant risk to Drupal sites, potentially allowing attackers to access sensitive data or gain unauthorized access.

What can I do about it?

Immediately apply the patch for CVE-2026-9082 from Drupal, update to the latest supported version, and monitor for anomalous database activity.

Classification

Vulnerability, Critical Severity, Active Exploitation, SQL Injection

Source

Source feed: The Hacker News | Original source

Metasploit Wrap Up 05/22/2026

Martin Sutovsky — Fri, 22 May 2026 19:10:05 GMT

AI Summary

The Metasploit Wrap-Up for May 22, 2026, introduces five new modules targeting critical vulnerabilities. These include an authentication bypass in Cisco Catalyst SD-WAN Controller (CVE-2026-20182), a zip-slip RCE in HUSTOJ (CVE-2026-24479), an unauthenticated RCE in Barracuda ESG (CVE-2023-7102), an authentication bypass leading to root RCE in cPanel/WHM (CVE-2026-41940), and a post-exploitation module to extract and crack credentials from Tenable Security Center. These modules provide attackers with tools to bypass authentication, execute arbitrary code, and steal credentials. Immediate patching and monitoring are recommended to mitigate these threats.

Why do I care?

These new Metasploit modules automate exploitation of critical vulnerabilities in widely-used products, enabling attackers to gain unauthorized access, execute code remotely, and compromise sensitive credentials with minimal effort.

What can I do about it?

Prioritize patching Cisco SD-WAN, HUSTOJ, Barracuda ESG, and cPanel/WHM systems. Implement network segmentation, disable vulnerable services where possible, and monitor for exploitation attempts using IDS/IPS signatures.

Classification

Vulnerability, Critical Severity, Authentication Bypass, Credential Theft, Remote Code Execution

Source

Source feed: Rapid7 Security Research | Original source

Drupal Vulnerability in Hacker Crosshairs Shortly After Disclosure

Eduard Kovacs — Fri, 22 May 2026 17:15:26 GMT

AI Summary

Drupal has issued a warning regarding the active exploitation of CVE-2026-9082, a vulnerability disclosed in the content management system. Security firms report attacks targeting thousands of websites, highlighting the short window between disclosure and exploitation. The vulnerability could allow attackers to achieve unauthorized access or remote code execution on affected systems. Immediate patching is critical to prevent compromise. Drupal administrators should apply the security update promptly, monitor server logs for suspicious activity, and ensure web application firewalls are configured to block exploitation attempts. Organizations using Drupal are at high risk and must take urgent action.

Why do I care?

This vulnerability is actively being exploited against thousands of websites, exposing organizations to potential data breaches, defacement, or full system compromise.

What can I do about it?

Immediately apply the security patch released by Drupal, review access logs for exploitation indicators (e.g., unusual POST requests), and deploy virtual patching via a WAF if direct patching is delayed.

Classification

Vulnerability, High Severity, Web Application Exploit

Source

Source feed: SecurityWeek | Original source

From edge appliance to enterprise compromise: Multi-stage Linux intrusion via F5 and Confluence

Microsoft Defender Security Research Team — Fri, 22 May 2026 16:53:39 GMT

AI Summary

This article details a multi-stage Linux intrusion that began with the compromise of an internet-facing F5 BIG-IP edge appliance. The threat actor exploited the appliance to gain SSH access to a Linux server, then performed extensive reconnaissance including network scanning with Nmap and HTTP service discovery with gowitness. Subsequently, they pivoted to an internal Confluence server, where they stole credentials and attempted Kerberos relay attacks against Active Directory for lateral movement and identity compromise. The attack highlights the growing risk of edge appliances as initial access points, the abuse of trusted relationships for lateral movement, and the importance of monitoring Linux and cloud environments. Microsoft Defender XDR detected and blocked the attack. Organizations are urged to patch edge devices, enforce least privilege, and use identity protection solutions to mitigate such threats.

Why do I care?

Edge appliances like F5 BIG-IP are highly trusted and often overlooked, making them prime targets. Their compromise can grant threat actors a durable foothold and enable lateral movement that bypasses traditional perimeter defenses, potentially leading to full domain compromise.

What can I do about it?

Regularly patch and retire end-of-life edge appliances, monitor SSH access to Linux servers, enforce least privilege for all accounts, and deploy identity protection solutions such as Microsoft Defender for Identity to detect and block credential-based attacks.

Classification

Vulnerability, Critical Severity, Credential Access, Lateral Movement, Multi-stage Intrusion

Source

Source feed: Microsoft Security Blog | Original source

The Good, the Bad and the Ugly in Cybersecurity – Week 21

SentinelOne — Fri, 22 May 2026 15:08:13 GMT

AI Summary

This week's cybersecurity roundup highlights three major stories: international police operations dismantling cybercrime infrastructure (including First VPN and an infostealer campaign), a new macOS stealer variant called Reaper (part of SHub Stealer family) that spoofs Apple, Google, and Microsoft brands to infect Macs, and two actively exploited Microsoft Defender zero-days (including CVE-2026-41091) enabling SYSTEM privileges and denial-of-service on unpatched Windows systems. The Reaper malware employs advanced evasion techniques, harvests credentials and financial documents, and establishes persistence. Organizations should apply Microsoft updates urgently and monitor for suspicious AppleScript activity and outbound traffic.

Why do I care?

The Microsoft Defender zero-days are actively exploited, granting SYSTEM privileges or causing DoS, and the Reaper macOS stealer targets business documents and credentials with persistence.

What can I do about it?

Immediately apply Microsoft security updates for Defender, and on macOS monitor for unexpected AppleScript execution, LaunchAgents, and outbound connections to suspicious domains.

Classification

Vulnerability, High Severity, Infostealer, Phishing, Ransomware

Source

Source feed: SentinelOne | Original source

RemotePE: The Lazarus RAT that lives in memory

Fox-SRT — Fri, 22 May 2026 14:55:58 GMT

AI Summary

This article details a sophisticated memory-only toolset used by a Lazarus subgroup targeting financial and cryptocurrency organizations. The toolset consists of three components: DPAPILoader, which uses DPAPI and environmental keying to decrypt and load RemotePELoader from disk; RemotePELoader, which beacons to a C2 server and receives RemotePE; and RemotePE, a RAT executed entirely in memory. The malware evades detection through DPAPI encryption, memory-only execution, and masquerading as legitimate Windows services. The toolset's low forensic footprint makes it suitable for long-term observation campaigns, often preceding high-impact theft. Defenders are encouraged to hunt for service masquerading and memory-resident payloads.

Why do I care?

This sophisticated Lazarus toolset can maintain persistent, fileless access for extended periods, potentially leading to large-scale financial theft from targeted organizations.

What can I do about it?

Monitor for suspicious service installations mimicking Internet Authentication Service and investigate unknown services loading DLLs from unusual paths. Additionally, deploy behavioral detection for memory-only payload execution and DPAPI anomalies.

Classification

Vulnerability, High Severity, Remote Access Trojan

Source

Source feed: Fox-IT Blog | Original source

In Other News: Industrial Router Exploitation, CISA KEV Nomination Form, Gas Station Hacking

SecurityWeek News — Fri, 22 May 2026 14:07:06 GMT

AI Summary

This article summarizes several cybersecurity incidents: a CISA contractor exposed credentials, ongoing testing and new features of the Mythos malware, and a critical Huawei router vulnerability that caused a telecom blackout. Additional stories include industrial router exploitation and gas station hacking. The Huawei flaw underscores risks in critical infrastructure, while credential leaks highlight supply chain security issues. Organizations should prioritize patching network devices and enforcing robust credential management to mitigate potential attacks.

Classification

Vulnerability, Medium Severity, Exploit, Information Disclosure

Source

Source feed: SecurityWeek | Original source

Trend Micro warns of Apex One zero-day exploited in the wild

Sergiu Gatlan — Fri, 22 May 2026 13:39:19 GMT

AI Summary

Trend Micro warned of a zero-day vulnerability in its Apex One security software being actively exploited in attacks targeting Windows systems. The vulnerability could allow attackers to bypass security controls or execute arbitrary code. Trend Micro has released patches to address the issue. Organizations using Apex One are urged to apply updates immediately. The attacks appear to be targeted, and immediate action is recommended to prevent compromise.

Why do I care?

This zero-day vulnerability in your primary endpoint security solution can be used by attackers to bypass defenses and gain initial access.

What can I do about it?

Apply the latest patches from Trend Micro Apex One immediately and monitor for suspicious activity or signs of compromise.

Classification

Vulnerability, High Severity, Targeted Attack, Zero-day Exploit

Source

Source feed: Bleeping Computer | Original source

Drupal: Critical SQL injection flaw now targeted in attacks

Bill Toulas — Fri, 22 May 2026 13:14:40 GMT

AI Summary

Drupal has disclosed a critical SQL injection vulnerability (CVE-2024-????) that is now being actively exploited in the wild. The flaw allows unauthenticated attackers to execute arbitrary SQL queries, potentially leading to data theft, privilege escalation, or complete site compromise. Drupal core versions prior to 10.x.x are affected. Organizations must immediately update their Drupal installations to the latest patched version and review logs for signs of exploitation. No specific threat actor has been associated with these attacks, but the active exploitation indicates broad scanning and targeting of vulnerable instances.

Why do I care?

This critical SQL injection vulnerability is being actively exploited, allowing remote attackers to compromise Drupal sites without authentication, leading to potential data breaches and full site takeover.

What can I do about it?

Immediately patch all Drupal instances to the latest secure version, apply virtual patching if immediate update is not possible, monitor web server logs for suspicious SQL injection patterns, and restrict database access controls.

Classification

Vulnerability, Critical Severity, SQL Injection

Source

Source feed: Bleeping Computer | Original source

Ubiquiti patches three max severity UniFi OS vulnerabilities

Sergiu Gatlan — Fri, 22 May 2026 12:00:42 GMT

AI Summary

Ubiquiti has patched three maximum severity vulnerabilities in UniFi OS that allow remote, unauthenticated attackers to execute arbitrary code on affected devices. These flaws pose a critical risk to network infrastructure, potentially enabling full device compromise and lateral movement within networks. Users are urged to apply the latest firmware updates immediately to mitigate exploitation.

Why do I care?

These vulnerabilities enable remote, unauthenticated code execution on UniFi devices, risking full compromise of network infrastructure and sensitive data.

What can I do about it?

Immediately update all UniFi OS devices to the latest firmware version and restrict remote access to trusted networks only.

Classification

Vulnerability, Critical Severity, Remote Code Execution

Source

Source feed: Bleeping Computer | Original source

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Fri, 22 May 2026 12:00:00 GMT

AI Summary

CISA added CVE-2026-9082, a Drupal Core SQL Injection vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. This vulnerability poses significant risks to federal enterprise and all organizations. SQL injection vulnerabilities are frequent attack vectors for malicious cyber actors. The addition triggers a remediation deadline for FCEB agencies under BOD 22-01. CISA strongly recommends all organizations prioritize timely patching of this and other KEV-listed vulnerabilities to reduce exposure to cyberattacks.

Why do I care?

This SQL injection vulnerability in Drupal core is actively exploited, allowing attackers to compromise systems and steal sensitive data.

What can I do about it?

Immediately apply the security update provided by Drupal and follow CISA's guidance. Prioritize this vulnerability in your patch management process.

Classification

Vulnerability, High Severity, SQL Injection

Source

Source feed: CISA Current Activity | Original source

Making Vulnerable Drivers Exploitable Without Hardware - The BYOVD Perspective

info@thehackernews.com (The Hacker News) — Fri, 22 May 2026 11:38:12 GMT

AI Summary

This article provides a technical analysis of how Windows kernel-mode drivers can be exploited from user mode without requiring their associated hardware, focusing on the Bring Your Own Vulnerable Driver (BYOVD) technique. It highlights that many drivers contain vulnerabilities that are reachable without hardware, making them exploitable for privilege escalation. The research aims to evaluate the exploitability of driver vulnerabilities typically gated by hardware presence. The impact includes potential system compromise and elevation of privileges, allowing attackers to gain kernel-level access. Mitigation strategies may include driver blocklist enforcement and digital signature verification.

Why do I care?

Attackers can exploit vulnerable drivers to escalate privileges and bypass security controls, even without specialized hardware.

What can I do about it?

Implement driver blocklist policies, enforce driver signature verification, and use tools like Microsoft Defender for Endpoint to detect vulnerable driver loading.

Classification

Vulnerability, High Severity, Exploit, Privilege Escalation

Source

Source feed: The Hacker News | Original source

We hardened zizmor's GitHub Actions static analyzer

Fri, 22 May 2026 11:00:00 GMT

AI Summary

In March 2026, attackers exploited a pull_request_target misconfiguration in aquasecurity/trivy-action to steal organization and repository secrets, which were then used to backdoor LiteLLM on PyPI. This supply chain attack highlights the critical need for static analysis of GitHub Actions workflows. The article details improvements to the zizmor static analyzer, including full YAML anchor support, deserialization bug fixes, and expression evaluator alignment with GitHub's test suite. These enhancements help prevent misconfigurations that lead to secret exfiltration and compromise. Organizations using GitHub Actions are urged to adopt tools like zizmor to catch risky configurations, as even a single misconfiguration can lead to severe supply chain attacks.

Why do I care?

Misconfigurations in GitHub Actions workflows, such as pull_request_target, can expose secrets and lead to supply chain attacks like the Trivy-LiteLLM compromise.

What can I do about it?

Integrate static analysis tools like zizmor into your CI/CD pipeline to audit workflows for misconfigurations, and enforce strict permissions and secrets management.

Classification

Vulnerability, Critical Severity, Misconfiguration Exploitation, Supply Chain Attack

Source

Source feed: Trail of Bits | Original source

Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload

Kaspersky — Fri, 22 May 2026 09:12:13 GMT

AI Summary

Cloud Atlas continues to target government and diplomatic entities in Russia and Belarus using spear-phishing emails with ZIP archives containing LNK files. The attack chain involves PowerShell scripts that deploy two backdoors: VBCloud, a file stealer targeting documents and PDFs, and PowerShower, used for network reconnaissance, lateral movement, and Kerberoasting. The group employs SSH tunnels, Tor, and RevSocks for persistent C2, along with registry persistence and anti-forensic measures. Organizations in these sectors are at high risk of data theft and network compromise.

Why do I care?

Cloud Atlas is a sophisticated APT group actively targeting government and diplomatic sectors in Russia and Belarus, using advanced techniques to steal sensitive data and move laterally within networks.

What can I do about it?

Implement email filtering to detect malicious attachments, enforce multi-factor authentication, monitor for unusual PowerShell execution and SSH tunnel activity, and conduct regular security awareness training to reduce phishing risk.

Classification

Vulnerability, High Severity, Backdoor, Credential Theft, Spear Phishing

Source

Source feed: Kaspersky Securelist | Original source

TrendAI Patches Apex One Zero-Day Exploited in the Wild

Eduard Kovacs — Fri, 22 May 2026 08:19:24 GMT

AI Summary

TrendAI has released a patch for CVE-2026-34926, a directory traversal zero-day vulnerability in the on-premise version of Apex One that has been exploited in the wild. The flaw could allow attackers to read or write arbitrary files, potentially leading to system compromise or disabling the security product. Organizations using Apex One on-premise are urged to apply the patch immediately.

Why do I care?

This zero-day is actively exploited, and because it affects a security product, attackers can disable defenses or gain privileged access to endpoints.

What can I do about it?

Apply the latest patch from TrendAI immediately. Ensure Apex One installations are up-to-date and monitor for suspicious file access activity.

Classification

Vulnerability, Critical Severity, Zero-Day Exploit

Source

Source feed: SecurityWeek | Original source

CISA Adds Exploited Langflow and Trend Micro Apex One Vulnerabilities to KEV

info@thehackernews.com (The Hacker News) — Fri, 22 May 2026 05:47:33 GMT

AI Summary

CISA added two vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2025-34291 in Langflow (CVSS 9.4) and an undisclosed vulnerability in Trend Micro Apex One, both with evidence of active exploitation. The Langflow flaw is an origin validation error potentially allowing cross-origin attacks. Organizations using these products are at immediate risk. CISA urges priority patching and applying vendor mitigations. The impact could include unauthorized access or system compromise.

Why do I care?

These vulnerabilities are actively exploited, exposing your systems to potential compromise if left unpatched.

What can I do about it?

Immediately apply patches for Langflow and Trend Micro Apex One; if not available, implement workarounds from vendor advisories.

Classification

Vulnerability, Critical Severity, Active Exploitation, Remote Code Execution

Source

Source feed: The Hacker News | Original source

Cisco Patches CVSS 10.0 Secure Workload REST API Flaw Enabling Data Access

info@thehackernews.com (The Hacker News) — Fri, 22 May 2026 05:36:18 GMT

AI Summary

Cisco has released updates to address a critical security flaw in Secure Workload (formerly Tetration), designated CVE-2026-20223 with a CVSS score of 10.0. This vulnerability allows an unauthenticated, remote attacker to access sensitive data by exploiting insufficient validation and authentication in REST API endpoints. The attack can be carried out over the network without user interaction, making it highly exploitable. The impact is considered maximum severity because it could lead to unauthorized access to sensitive information, potentially including credentials, configuration data, and other confidential material. Organizations using Secure Workload are urged to apply the patches immediately as there are no known workarounds. This vulnerability underscores the importance of securing API endpoints and implementing strong authentication mechanisms.

Why do I care?

This vulnerability allows unauthenticated remote attackers to access sensitive data from Secure Workload, potentially leading to data breaches and exposure of critical infrastructure information.

What can I do about it?

Apply the patches provided by Cisco immediately. Also, review access controls and authentication mechanisms for all API endpoints to prevent similar issues.

Classification

Vulnerability, Critical Severity, Information Disclosure

Source

Source feed: The Hacker News | Original source

Google API Keys Remain Active After Deletion

Rob Wright — Thu, 21 May 2026 20:07:47 GMT

AI Summary

A security researcher discovered that Google Cloud API keys remain active for approximately 23 minutes after deletion, contradicting Google's claim of immediate revocation. This window allows potential continued unauthorized access to cloud resources, posing a risk to organizations that rely on timely key deletion for security. Organizations should implement additional checks and monitor for key usage after deletion to mitigate this vulnerability.

Why do I care?

This flaw means that supposedly deleted API keys can still be used for over 20 minutes, potentially allowing attackers to maintain access to cloud resources even after credential revocation efforts.

What can I do about it?

Organizations using Google Cloud should review and rotate API keys promptly, monitor for usage of deleted keys, and consider additional revocation mechanisms such as disabling the underlying service account.

Classification

Vulnerability, High Severity, API Key Exposure

Source

Source feed: Dark Reading | Original source

Google accidentally exposed details of unfixed Chromium flaw

Bill Toulas — Thu, 21 May 2026 18:13:50 GMT

AI Summary

Google accidentally leaked details of an unfixed Chromium vulnerability that allows JavaScript to continue running in the background even after the browser is closed, enabling remote code execution. This flaw could be exploited by attackers to execute arbitrary code on a target device without user interaction, potentially leading to persistent compromise. The inadvertent disclosure increases the risk of exploitation before a patch is available. Users and organizations should monitor for updates from Google and consider disabling JavaScript or running browsers in sandboxed environments until a fix is released. Technical mitigation may include application whitelisting and restricting background processes.

Why do I care?

This vulnerability enables remote code execution on devices even when the browser is closed, posing a significant risk of persistent compromise without user awareness.

What can I do about it?

Monitor for patches from Google, consider disabling JavaScript in untrusted contexts, and enforce application whitelisting and sandboxing to limit the impact of exploitation.

Classification

Vulnerability, High Severity, Remote Code Execution

Source

Source feed: Bleeping Computer | Original source

Snyk announces Anthropic updates: Evo integrates with Claude Enterprise, and Snyk Desk comes to Claude Desktop

Thu, 21 May 2026 17:00:00 GMT

AI Summary

Snyk announced two new integrations with Anthropic's Claude. Evo by Snyk now integrates with Claude Enterprise, enabling AI-assisted development with security scanning. Additionally, the Snyk Security Desktop Extension is available on Claude Desktop for macOS and Windows, bringing vulnerability detection directly into the AI assistant. These updates aim to streamline secure coding practices for developers using Anthropic's AI tools. While this is a product announcement with no immediate security threat, it highlights the growing trend of embedding security into AI-assisted development workflows.

Classification

Vulnerability, Low Severity

Source

Source feed: Snyk Blog | Original source

What’s new in Microsoft Security: May 2026

Alym Rayani — Thu, 21 May 2026 16:00:00 GMT

AI Summary

Microsoft Security's May 2026 update introduces new features to enhance visibility, control, and protection across expanding ecosystems, particularly as AI adoption accelerates. Key updates include the general availability of Microsoft Purview Data Security Posture Management (DSPM) for unified discovery, protection, and remediation of sensitive data; Data Security Investigations with OCR and custom examination capabilities; Entra ID Account Recovery for secure account access restoration; and Windows 365 for Agents providing a secure execution environment for AI agents. These innovations help security teams manage blind spots from distributed agents, data, and identities, offering improved reporting, third-party visibility, and AI-powered analysis. While no new threats are announced, these tools aim to bolster defense against data breaches and identity compromises by enhancing detection and response capabilities.

Classification

Vulnerability, Low Severity

Source

Source feed: Microsoft Security Blog | Original source

Max severity Cisco Secure Workload flaw gives Site Admin privileges

Sergiu Gatlan — Thu, 21 May 2026 13:58:33 GMT

AI Summary

A maximum-severity vulnerability in Cisco Secure Workload allows attackers to gain Site Admin privileges, potentially leading to full platform compromise. The flaw is now patched by Cisco, and immediate update is strongly recommended to prevent unauthorized administrative access and control over the secure workload environment.

Why do I care?

Attackers exploiting this vulnerability can gain Site Admin privileges, enabling full control over the Cisco Secure Workload platform and potentially disrupting critical infrastructure.

What can I do about it?

Apply the latest security updates from Cisco immediately to remediate the vulnerability and restrict unauthorized privilege escalation.

Classification

Vulnerability, Critical Severity, Privilege Escalation

Source

Source feed: Bleeping Computer | Original source

Q1 2026 Threat Landscape Report: Zero-clicks, geopolitical tensions, and some wins for law enforcement

Rapid7 Labs — Thu, 21 May 2026 13:00:00 GMT

AI Summary

The Q1 2026 threat landscape report reveals that vulnerability exploitation has surpassed social engineering as the top initial access vector, with over half of exploited vulnerabilities being zero-click and network-facing, driven in part by AI-enabled exploitation. Geopolitical tensions continue to shape cyber operations, with Iranian state-aligned groups targeting government and industrial systems in the Middle East, while Russian and Chinese campaigns focus on intelligence collection and persistent access. Law enforcement takedowns of RAMP and LeakBase have disrupted major ransomware and credential marketplaces, pushing threat actors toward smaller communities. Ransomware is increasingly shifting toward 'pure extortion' tactics that prioritize rapid data theft over encryption. The report emphasizes that organizations can no longer rely on periodic assessments and reactive workflows; they need continuous attack surface visibility, better risk prioritization, and the ability to respond at the speed of modern attackers to prevent small exposures from escalating into large-scale incidents.

Why do I care?

Attackers are increasingly exploiting zero-click vulnerabilities for initial access and shifting to pure extortion tactics, making reactive defense strategies ineffective.

What can I do about it?

Implement continuous attack surface monitoring and prioritize patching of zero-click, network-facing vulnerabilities to reduce exposure.

Classification

Vulnerability, High Severity, Ransomware, Vulnerability Exploitation

Source

Source feed: Rapid7 Security Research | Original source

Red-Teaming Cloud Infrastructure with Neo

Thu, 21 May 2026 12:18:50 GMT

AI Summary

The article discusses the use of AI security tooling for code review and zero-day research, highlighting ProjectDiscovery's use of Neo to surface zero-days in production software. It emphasizes the efficiency of AI in identifying vulnerabilities but also notes the overwhelming volume of findings.

Classification

Vulnerability, Low Severity, Vulnerability Research

Source

Source feed: Project Discovery | Original source

Cisco Patches Critical Vulnerability in Secure Workload

Ionut Arghire — Thu, 21 May 2026 12:04:13 GMT

AI Summary

The article reports a critical vulnerability in Cisco Secure Workload's REST API, caused by insufficient validation and authentication. This flaw allows remote attackers to gain Site Admin privileges, potentially leading to full compromise of the application. Cisco has released patches to address the issue. Organizations using Cisco Secure Workload should prioritize applying these patches to prevent unauthorized administrative access.

Why do I care?

This vulnerability enables remote attackers to gain administrative control over Cisco Secure Workload, which manages security policies across workloads, potentially exposing the entire environment to compromise.

What can I do about it?

Immediately apply the security patches provided by Cisco for Secure Workload and review API access controls to limit exposure. Monitor for any unusual administrative activity.

Classification

Vulnerability, Critical Severity, Authentication Bypass

Source

Source feed: SecurityWeek | Original source

CISA Adds Two Known Exploited Vulnerabilities to Catalog

CISA — Thu, 21 May 2026 12:00:00 GMT

AI Summary

CISA added two new vulnerabilities (CVE-2025-34291 in Langflow and CVE-2026-34926 in Trend Micro Apex One) to its Known Exploited Vulnerabilities catalog due to evidence of active exploitation. These vulnerabilities pose significant risks, especially to federal networks, and are frequently used by malicious actors. CISA urges all organizations to prioritize timely remediation as part of their vulnerability management practices to reduce exposure to cyberattacks.

Why do I care?

These vulnerabilities are actively exploited and can lead to unauthorized access or compromise of systems, posing a direct threat to organizational security.

What can I do about it?

Immediately apply available patches and updates from vendors; if patches are not yet available, implement mitigation measures as recommended. Prioritize remediation of these CVEs in alignment with BOD 22-01 requirements.

Classification

Vulnerability, High Severity, Exploit

Source

Source feed: CISA Current Activity | Original source

Drupal Patches Highly Critical Vulnerability Exposing Websites to Hacking

Eduard Kovacs — Thu, 21 May 2026 10:58:49 GMT

AI Summary

CVE-2026-9082 is a highly critical vulnerability in Drupal that can be exploited without authentication, allowing attackers to achieve information disclosure, privilege escalation, and remote code execution. This poses severe risk to all unpatched Drupal websites, potentially enabling complete site compromise, data theft, and unauthorized access. The vulnerability is actively being exploited in the wild, and Drupal has released a security patch. Organizations using Drupal must immediately apply the update to prevent exploitation. The impact of this vulnerability is critical, as it undermines core security controls and can lead to full system takeover. Immediate action is essential to protect sensitive data and maintain operational integrity.

Why do I care?

This vulnerability allows unauthenticated attackers to execute arbitrary code and escalate privileges on Drupal websites, potentially leading to full compromise and data breaches without any user interaction.

What can I do about it?

Immediately update all Drupal installations to the latest patched version and verify no unauthorized changes have been made; prioritize this patch given the critical severity and active exploitation.

Classification

Vulnerability, Critical Severity, Information Disclosure, Privilege Escalation, Remote Code Execution

Source

Source feed: SecurityWeek | Original source

Microsoft Warns of Two Actively Exploited Defender Vulnerabilities

info@thehackernews.com (The Hacker News) — Thu, 21 May 2026 10:55:57 GMT

AI Summary

Microsoft disclosed two actively exploited vulnerabilities in Microsoft Defender: a privilege escalation flaw (CVE-2026-41091, CVSS 7.8) allowing SYSTEM privileges, and a denial-of-service vulnerability. Both are under active exploitation, posing significant risk to enterprise security. Organizations should prioritize applying Microsoft's security updates to mitigate these threats and prevent potential system compromise or service disruption.

Why do I care?

These Defender vulnerabilities are actively exploited and can lead to full system compromise or denial of service, undermining your primary security tool.

What can I do about it?

Immediately apply Microsoft's security patches for Defender and monitor for any signs of exploitation or unusual system behavior.

Classification

Vulnerability, High Severity, Denial of Service, Privilege Escalation

Source

Source feed: The Hacker News | Original source

When Identity is the Attack Path

info@thehackernews.com (The Hacker News) — Thu, 21 May 2026 10:30:00 GMT

AI Summary

This article highlights a critical identity-based attack path in cloud environments. A single cached AWS access key on a Windows machine—obtained through normal user login—can be exploited by attackers to gain access to approximately 98% of an organization's cloud entities. The key point is that no misconfiguration or policy violation is required; the vulnerability stems from standard credential caching behavior. This exposure underscores the inherent risk of long-lived access keys and the broad blast radius of compromised credentials. Organizations must recognize that even minor attackers can leverage such keys for extensive lateral movement and data access. Mitigation requires shifting to temporary credentials, enforcing least privilege, and continuous monitoring for anomalous credential usage.

Why do I care?

A single cached AWS key on a Windows machine can expose 98% of your cloud environment to attackers, even without any misconfiguration.

What can I do about it?

Implement ephemeral credentials (e.g., using AWS IAM roles) and enforce strict access controls; monitor for unusual API calls and credential usage.

Classification

Vulnerability, High Severity, Cloud Access Abuse, Credential Theft

Source

Source feed: The Hacker News | Original source

Microsoft Patches Exploited UnDefend and RedSun Defender Zero-Days

Ionut Arghire — Thu, 21 May 2026 09:52:05 GMT

AI Summary

Microsoft has released patches for two zero-day vulnerabilities, named UnDefend and RedSun Defender, which are being actively exploited in the wild. The flaws allow attackers to elevate privileges to SYSTEM or cause a denial-of-service condition, potentially leading to full system compromise. Given the active exploitation, organizations should prioritize applying these patches. The vulnerabilities were reported by security researchers and affect Microsoft products, though specific affected software has not been detailed. Immediate patching is critical to mitigate risk.

Why do I care?

These zero-day vulnerabilities are actively exploited and can grant attackers SYSTEM-level privileges, enabling complete control over affected systems.

What can I do about it?

Apply the relevant Microsoft security updates immediately and ensure endpoint monitoring is in place to detect any related post-exploitation activity.

Classification

Vulnerability, Critical Severity, Denial of Service, Privilege Escalation

Source

Source feed: SecurityWeek | Original source

Google’s Surge in Chrome Vulnerability Discoveries Likely Driven by AI

Eduard Kovacs — Thu, 21 May 2026 09:37:08 GMT

AI Summary

The article reports that Google has patched over 200 vulnerabilities in Chrome, with the surge in discoveries attributed to the use of AI tools. This indicates an increased focus on proactive vulnerability research, which helps improve browser security. Organizations should ensure Chrome is updated regularly to mitigate potential risks from these vulnerabilities.

Classification

Vulnerability, Medium Severity

Source

Source feed: SecurityWeek | Original source

Supply Chain Security Crisis: Too Many Vulnerabilities, Too Little Visibility

Kevin Townsend — Thu, 21 May 2026 08:14:53 GMT

AI Summary

The article highlights a supply chain security crisis characterized by an overwhelming number of new vulnerabilities, rapid exploitation timelines, and insufficient visibility into the threat landscape. This lack of visibility hinders organizations' ability to prioritize and remediate risks effectively, increasing exposure to supply chain attacks. The impact is a heightened risk of breaches through compromised software dependencies and third-party components. Mitigation requires improved vulnerability management practices, automated discovery tools, and enhanced collaboration across the supply chain.

Classification

Vulnerability, Medium Severity, Supply Chain Attack

Source

Source feed: SecurityWeek | Original source

Microsoft warns of new Defender zero-days exploited in attacks

Sergiu Gatlan — Thu, 21 May 2026 07:49:48 GMT

AI Summary

Microsoft has released patches for two zero-day vulnerabilities in Microsoft Defender that were actively exploited in attacks. The flaws allowed attackers to bypass detection and execute code or elevate privileges. Organizations are urged to apply the updates immediately to prevent exploitation. The vulnerabilities highlight the risk of targeting security software to evade defenses.

Why do I care?

These zero-days directly undermine Defender's ability to detect threats, leaving systems exposed to further attacks.

What can I do about it?

Apply the latest Defender updates immediately, monitor for indicators of compromise related to these CVEs, and ensure other security controls are operational.

Classification

Vulnerability, Critical Severity, Exploit, Zero-day

Source

Source feed: Bleeping Computer | Original source

9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros

info@thehackernews.com (The Hacker News) — Thu, 21 May 2026 07:35:53 GMT

AI Summary

A nine-year-old Linux kernel vulnerability (CVE-2026-46333) has been disclosed, enabling unprivileged local users to execute arbitrary commands as root on major Linux distributions. The flaw arises from improper privilege management and carries a CVSS score of 5.5 (medium severity). While local access is required, exploitation poses significant risks in multi-user or cloud environments. Immediate patching from distribution vendors is recommended to prevent full system compromise.

Classification

Vulnerability, Medium Severity, Privilege Escalation

Source

Source feed: The Hacker News | Original source

Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks

info@thehackernews.com (The Hacker News) — Thu, 21 May 2026 03:44:11 GMT

AI Summary

Drupal released security updates for a highly critical vulnerability (CVE-2026-9082, CVSS 6.5) in Drupal Core affecting PostgreSQL sites. The flaw, located in a database abstraction API, allows remote code execution, privilege escalation, or information disclosure. Organizations running Drupal with PostgreSQL should apply the patches immediately. No active exploitation or threat actors were mentioned.

Classification

Vulnerability, Medium Severity, Information Disclosure, Privilege Escalation, Remote Code Execution

Source

Source feed: The Hacker News | Original source

The Vulnerability Flood Is Now a Board Conversation. Here's How to Lead It.

Thu, 21 May 2026 00:00:00 GMT

AI Summary

The article discusses how AI-assisted vulnerability discovery, exemplified by Mythos and Daybreak, is compressing the timeline from disclosure to exploit from days to minutes, but the core challenge remains prioritization. With disclosed vulnerabilities nearly doubling to 50,000 in 2025, most organizations struggle with manual triage, leading to backlogs of critical exposures. The author argues that intelligence-led programs, which correlate findings with real-world adversary activity, are essential to keep pace. A financial services firm reclaimed 20 hours per week by automating triage. The key threat is not the volume of vulnerabilities but the speed of exploitation and the difficulty of identifying which ones matter. Boards are now asking about this, and leaders who demonstrate intelligence-driven readiness will gain credibility and resources.

Why do I care?

As AI accelerates the speed from vulnerability disclosure to exploit, organizations that lack intelligence-led prioritization risk being overwhelmed by noise and missing critical exposures.

What can I do about it?

Invest in an intelligence layer that correlates vulnerability findings with real-world adversary activity and automates triage to focus resources on the most urgent threats.

Classification

Vulnerability, High Severity, AI-driven Threat Acceleration, Vulnerability Exploitation

Source

Source feed: Recorded Future | Original source

The Vulnerability Flood Is Now a Board Conversation. Here's How to Lead It.

Thu, 21 May 2026 00:00:00 GMT

AI Summary

The article addresses the overwhelming challenge of vulnerability prioritization as disclosed vulnerabilities nearly double over five years, reaching approximately 50,000 in 2025, with AI accelerating exploit development from days to minutes. Only a small fraction (less than 1%) are weaponized, yet most organizations struggle with manual triage backlogs. The key threat is the growing gap between discovery and effective response, exacerbated by AI-assisted discovery surfacing exposures within existing environments, often overlooked by perimeter-focused defenses. The recommended mitigation is an intelligence-led vulnerability program that automatically correlates findings with real-world adversary activity, enabling teams to prioritize and fix what actually matters at machine speed, thus reducing noise and recovering analyst time for strategic work.

Classification

Vulnerability, Medium Severity, Vulnerability Exploitation

Source

Source feed: Recorded Future | Original source

Hackers bypass SonicWall VPN MFA due to incomplete patching

Bill Toulas — Wed, 20 May 2026 21:19:17 GMT

AI Summary

Threat actors exploited incomplete patching on SonicWall Gen6 SSL-VPN appliances to brute-force credentials and bypass multi-factor authentication (MFA), enabling deployment of ransomware tools. This vulnerability exposes organizations to network compromise and ransomware attacks. To mitigate, organizations should apply the latest SonicWall firmware patches, enforce strong password policies, and implement additional MFA layers such as hardware tokens or biometrics. Continuous monitoring for brute-force attempts and unusual VPN activity is also critical.

Why do I care?

Unpatched SonicWall VPNs allow attackers to bypass MFA and deploy ransomware, leading to full network compromise and data loss.

What can I do about it?

Apply vendor patches immediately, enforce hardware-based MFA, monitor logs for brute-force attempts, and implement account lockout policies.

Classification

Vulnerability, Critical Severity, Brute Force, MFA Bypass, Ransomware

Source

Source feed: Bleeping Computer | Original source

Processes and Culture Top Reasons Behind Data Breaches

Arielle Waldman — Wed, 20 May 2026 17:42:30 GMT

AI Summary

Government leaders reported that despite state laws intended to improve cyber hygiene, analysis of data breach incidents shows persistent issues with security processes and culture, and inadequate visibility into threats. The findings highlight that technical measures alone are insufficient; organizational practices and awareness must be addressed to reduce the risk of breaches. The impact is continued exposure to data breaches, potentially affecting sensitive government information and public trust. Mitigation requires a cultural shift towards security, better training, and improved monitoring and reporting mechanisms.

Classification

Vulnerability, Medium Severity, Data Breach

Source

Source feed: Dark Reading | Original source

Patch Now: Critical Flaw in OT Robot OS Gives Attackers Control

Elizabeth Montalbano — Wed, 20 May 2026 16:12:08 GMT

AI Summary

The article reports a critical remote command injection vulnerability in an OT Robot OS that allows unauthenticated attackers to gain full remote access and control over robotic systems. This could cause significant operational disruption in industrial environments. Immediate patching is essential.

Why do I care?

Attackers can exploit this vulnerability without credentials to take over robotic systems, potentially causing major downtime or physical damage.

What can I do about it?

Apply the vendor patch immediately and ensure OT systems are segmented and monitored for anomalous access.

Classification

Vulnerability, Critical Severity, Command Injection

Source

Source feed: Dark Reading | Original source

Microsoft Rolls Out Mitigations for ‘YellowKey’ BitLocker Bypass

Ionut Arghire — Wed, 20 May 2026 15:39:00 GMT

AI Summary

Microsoft has released mitigations for the 'YellowKey' BitLocker bypass vulnerability, which could allow attackers with physical or local access to bypass full disk encryption. The exploit leverages the FsTx Auto Recovery Utility within the Windows Recovery Environment. The mitigation specifically prevents that utility from starting when the WinRE image launches, effectively closing the bypass. Organizations using BitLocker should apply this mitigation promptly to protect sensitive data on encrypted devices. While no active exploitation has been reported, the severity of the vulnerability warrants immediate attention to prevent potential data compromise.

Why do I care?

The YellowKey vulnerability bypasses BitLocker encryption, potentially exposing sensitive data on encrypted devices if exploited by an attacker with physical access.

What can I do about it?

Apply Microsoft's mitigation to your Windows Recovery Environment images to prevent the FsTx Auto Recovery Utility from starting, reducing the risk of BitLocker bypass.

Classification

Vulnerability, High Severity, Bypass

Source

Source feed: SecurityWeek | Original source

Introducing RAMPART and Clarity: Open source tools to bring safety into Agent development workflow

Ram Shankar Siva Kumar — Wed, 20 May 2026 15:00:00 GMT

AI Summary

The article introduces RAMPART and Clarity, two open-source tools from Microsoft designed to enhance safety in the development of agentic AI systems. As AI agents increasingly access emails, CRMs, and execute code, they pose new safety risks due to their ability to act autonomously. RAMPART provides a continuous testing framework for red teaming and incident replication, enabling engineers to encode adversarial scenarios as repeatable tests. Clarity helps teams validate design assumptions early, preventing costly rework. The tools aim to turn red team findings into reproducible engineering assets, allowing teams to detect and mitigate issues like cross-prompt injection attacks. This proactive approach reduces the cost of fixing safety failures and helps build more robust AI agents by integrating safety into the development workflow.

Classification

Vulnerability, Medium Severity, Prompt Injection

Source

Source feed: Microsoft Security Blog | Original source

Identity Alone Isn't Enough: Why Device Security Has to Share the Load

Sponsored by Specops Software — Wed, 20 May 2026 14:02:12 GMT

AI Summary

The article emphasizes that identity-centric security is insufficient against attackers who exploit stolen session tokens and compromised devices. It advocates for a Zero Trust approach that incorporates continuous device verification alongside identity checks to prevent unauthorized access. The primary threats are session hijacking and device compromise, which can bypass strong authentication. Organizations should implement device health attestation and policy enforcement to strengthen security posture.

Classification

Vulnerability, Medium Severity, Device Compromise, Session Hijacking

Source

Source feed: Bleeping Computer | Original source

1Password Teams With OpenAI to Stop AI Coding Agents From Leaking Credentials

Kevin Townsend — Wed, 20 May 2026 13:34:54 GMT

AI Summary

The article discusses a partnership between 1Password and OpenAI to tackle credential leakage risks posed by AI coding agents. They introduced a just-in-time credential model for OpenAI Codex that ensures secrets are never held persistently, thereby keeping credentials out of prompts, code repositories, and model context. This approach mitigates the threat of credential theft and unauthorized access that could occur if AI agents inadvertently expose sensitive information. The collaboration highlights the need for secure credential management in AI workflows. Organizations are advised to implement similar measures to protect against potential data breaches and maintain security in increasingly automated environments.

Classification

Vulnerability, Low Severity, Information Disclosure

Source

Source feed: SecurityWeek | Original source

Anthropic Silently Patches Claude Code Sandbox Bypass

Eduard Kovacs — Wed, 20 May 2026 13:00:00 GMT

AI Summary

Anthropic silently patched a sandbox bypass vulnerability in Claude Code that could be chained with prompt injection to exfiltrate sensitive data. The flaw allowed attackers to escape the restricted environment and potentially access the underlying system. The patch was applied without public disclosure, raising transparency concerns. Users should update to the latest version to mitigate risk.

Why do I care?

The Claude Code sandbox bypass could allow attackers to execute arbitrary code or exfiltrate data via prompt injection, compromising confidentiality and integrity.

What can I do about it?

Update Claude Code to the latest patched version and enforce strict input validation to prevent prompt injection attacks.

Classification

Vulnerability, High Severity, Prompt Injection, Sandbox Escape

Source

Source feed: SecurityWeek | Original source

Drupal critical update to fix bug with high exploitation risk

Bill Toulas — Wed, 20 May 2026 12:52:29 GMT

AI Summary

Drupal announced a critical core security release to patch a highly exploitable vulnerability. Threat actors are expected to develop exploits rapidly once details are disclosed. Administrators running Drupal must apply the update immediately to prevent compromise. The vulnerability poses a severe risk to unpatched systems, potentially enabling unauthorized access and control.

Why do I care?

Unpatched Drupal installations are at immediate risk of compromise due to the high exploitation potential.

What can I do about it?

Apply the security update as soon as it is released; monitor for exploit activity and consider additional access controls.

Classification

Vulnerability, Critical Severity, Exploit

Source

Source feed: Bleeping Computer | Original source

Operationalizing CTEM Faster: Build Surface Command Dashboards in Minutes

Ed Montgomery — Wed, 20 May 2026 12:15:54 GMT

AI Summary

Rapid7 introduced filter-based dashboard widgets in Surface Command, enabling security teams to build attack surface management dashboards without Cypher queries. This feature accelerates continuous threat exposure management (CTEM) by reducing friction in exposure reporting, allowing teams to scope, discover, prioritize, validate, and mobilize remediation efforts more efficiently. The widgets leverage the Command Platform's unified asset and identity graph for real-time context. While not a direct threat response, this tool helps operationalize visibility into external attack surfaces, improving overall security posture and reducing the lag between exposure discovery and action.

Classification

Vulnerability, Low Severity

Source

Source feed: Rapid7 Security Research | Original source

CISA Adds Seven Known Exploited Vulnerabilities to Catalog

CISA — Wed, 20 May 2026 12:00:00 GMT

AI Summary

CISA has added seven new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, all with evidence of active exploitation. The vulnerabilities affect Microsoft Windows, DirectX, Internet Explorer, Adobe Acrobat and Reader, and Microsoft Defender. They include buffer overflows, use-after-free, and elevation of privilege flaws. Federal agencies must remediate by due dates per BOD 22-01, and all organizations are urged to prioritize patching. These vulnerabilities pose significant risk as they are frequent attack vectors for malicious cyber actors.

Why do I care?

These vulnerabilities are actively exploited and pose significant risk to enterprise networks; they are a common vector for attackers.

What can I do about it?

Prioritize patching these CVEs immediately as part of your vulnerability management program; follow BOD 22-01 guidance even if not a federal agency.

Classification

Vulnerability, High Severity, Exploitation of Known Vulnerabilities

Source

Source feed: CISA Current Activity | Original source

Caught Off Guard: Securing AI After It Hits Production

Joshua Goldfarb — Wed, 20 May 2026 11:00:00 GMT

AI Summary

This article highlights the challenge of securing AI systems after they are deployed in production. As enterprises race to implement AI, security teams are often left to react to issues rather than proactively securing these systems. This reactive approach can lead to increased risk of data breaches, model manipulation, and other AI-specific threats. To mitigate these risks, organizations should integrate security into the AI development lifecycle from the start, ensuring that security controls are in place before deployment. Additionally, continuous monitoring and incident response plans should be adapted for AI environments. By shifting left and involving security early, organizations can better protect their AI investments.

Classification

Vulnerability, Low Severity

Source

Source feed: SecurityWeek | Original source

Exploit released for new PinTheft Arch Linux root escalation flaw

Sergiu Gatlan — Wed, 20 May 2026 10:52:31 GMT

AI Summary

A recently patched Linux privilege escalation vulnerability, dubbed PinTheft, now has a publicly available exploit targeting Arch Linux systems. The flaw allows local attackers to escalate privileges to root, compromising system integrity. Although it requires local access, the availability of a PoC increases risk. Mitigation involves applying the latest xorg-server updates. Organizations should prioritize patching and enforce least-privilege policies to reduce the attack surface.

Why do I care?

This local privilege escalation vulnerability can turn any unprivileged access into full root compromise, threatening the entire system and data.

What can I do about it?

Immediately apply security updates to xorg-server on all Arch Linux systems, and enforce strict local access controls to mitigate exploitation.

Classification

Vulnerability, High Severity, Privilege Escalation

Source

Source feed: Bleeping Computer | Original source

How an image could compromise your Mac: understanding an ExifTool vulnerability (CVE-2026-3102)

Lucas Tay — Wed, 20 May 2026 09:02:31 GMT

AI Summary

A critical vulnerability (CVE-2026-3102) in ExifTool versions 13.49 and earlier on macOS allows attackers to execute arbitrary shell commands by crafting a malicious image file with specially crafted metadata. Discovered by Kaspersky GReAT, the flaw resides in an unsanitized date value that flows into the system() sink via the SetMacOSTags function. Exploitation requires the -n flag and can lead to full system compromise. The vulnerability was patched by developers in February 2026. Users are urged to update ExifTool to version 13.50 and avoid processing images from untrusted sources.

Why do I care?

This vulnerability enables remote code execution on macOS with user privileges, potentially allowing attackers to gain full control of affected systems.

What can I do about it?

Update ExifTool to version 13.50 or later immediately, and restrict execution of ExifTool on untrusted image files to mitigate the risk.

Classification

Vulnerability, Critical Severity, Arbitrary Code Execution, Command Injection

Source

Source feed: Kaspersky Securelist | Original source

Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit

info@thehackernews.com (The Hacker News) — Wed, 20 May 2026 08:28:26 GMT

AI Summary

Microsoft released a mitigation for CVE-2026-45585, a publicly disclosed zero-day BitLocker bypass vulnerability known as YellowKey. With a CVSS score of 6.8, this security feature bypass could allow attackers to circumvent BitLocker encryption on affected Windows systems. The vulnerability was disclosed prior to a patch, prompting Microsoft to issue a mitigation to address the attack vector. Organizations should apply the mitigation promptly to reduce exposure. No active exploitation has been reported, but the technical details are public, increasing the risk of targeted attacks. The flaw primarily impacts defense mechanisms, making systems vulnerable to data access if physical access is obtained. This incident underscores the importance of defense-in-depth strategies beyond encryption alone.

Classification

Vulnerability, Medium Severity, Security Feature Bypass

Source

Source feed: The Hacker News | Original source

Surecart - SQL Injection

Joshua Martinelle — Wed, 20 May 2026 08:18:57 GMT

AI Summary

A critical authenticated SQL injection vulnerability has been disclosed in SureCart versions prior to 4.2.1. The flaw resides in the REST API endpoint '/surecart/v1/integrations/{id}', where multiple parameters are not properly sanitized due to a faulty escaping bypass in the query builder. An attacker with valid credentials can inject arbitrary SQL by including a dot in the payload, leading to full UNION-based database extraction. This could result in the theft of sensitive data, including customer personal information and payment credentials. Users are strongly advised to update to version 4.2.1 immediately to mitigate the risk.

Why do I care?

This vulnerability allows authenticated attackers to extract the entire database, compromising sensitive customer and business data stored in the WordPress site.

What can I do about it?

Update SureCart to version 4.2.1 or later without delay. Additionally, enforce the principle of least privilege for API access and consider using a web application firewall to block SQL injection attempts.

Classification

Vulnerability, High Severity, SQL Injection

Source

Source feed: Tenable Research Advisories | Original source

Microsoft shares mitigation for YellowKey Windows zero-day

Sergiu Gatlan — Wed, 20 May 2026 07:31:15 GMT

AI Summary

Microsoft has shared mitigations for YellowKey, a zero-day vulnerability in Windows BitLocker that allows attackers to access encrypted drives without authentication. This flaw bypasses BitLocker's encryption protection, posing a critical risk to sensitive data across all supported Windows versions. Exploitation could lead to unauthorized data theft, severely undermining security. Microsoft recommends applying registry changes and disabling certain features as mitigations until a permanent patch is released. Organizations should prioritize these actions to defend against potential exploitation.

Why do I care?

The YellowKey vulnerability directly bypasses BitLocker encryption, enabling attackers to gain full access to protected drives and sensitive data without authentication.

What can I do about it?

Immediately apply Microsoft's recommended mitigations, including registry modifications and group policy changes, and monitor for official security patches to fully remediate the vulnerability.

Classification

Vulnerability, Critical Severity, Authentication Bypass, Zero-day

Source

Source feed: Bleeping Computer | Original source

Surecart - SQL Injection

Joshua Martinelle — Wed, 20 May 2026 06:52:06 GMT

AI Summary

An authenticated SQL injection vulnerability has been discovered in the SureCart plugin for WordPress, affecting version 4.1.0 and earlier. The flaw lies in the query builder's escape logic, where including a dot character bypasses SQL sanitization, allowing an attacker to inject arbitrary SQL into the WHERE clause via the REST API endpoint. This enables UNION-based data extraction from the entire database. Although authentication is required, the impact is significant as sensitive information could be compromised. Users are advised to apply security patches and implement proper input validation to mitigate risks.

Why do I care?

This vulnerability enables an authenticated attacker to exfiltrate the entire database, potentially exposing customer data and credentials.

What can I do about it?

Immediately update SureCart to the latest version, verify input sanitization for all SQL queries, and restrict API access to necessary roles only.

Classification

Vulnerability, Critical Severity, SQL Injection

Source

Source feed: Tenable Research Advisories | Original source

Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credential Theft as Top Breach Vector

Ionut Arghire — Wed, 20 May 2026 00:04:48 GMT

AI Summary

The Verizon 2026 DBIR reveals that vulnerability exploitation has overtaken credential theft as the primary breach vector, driven by AI-accelerated attacks and increasing patching delays. Ransomware and third-party compromises continue to surge. Organizations must prioritize timely patching and robust vulnerability management to mitigate these evolving threats.

Why do I care?

With vulnerability exploitation now the top breach vector and AI accelerating attacks, organizations face increased risk if patching is delayed.

What can I do about it?

Implement accelerated patching cycles, automate vulnerability management, and strengthen third-party risk assessments to reduce exposure.

Classification

Vulnerability, High Severity, Credential Theft, Ransomware, Third-party Compromise

Source

Source feed: SecurityWeek | Original source

A New SonicWall Scanning Spike Echoes the Pattern That Preceded CVE-2026-0400

Wed, 20 May 2026 00:00:00 GMT

AI Summary

GreyNoise has flagged a new spike in scanning activity targeting SonicWall devices, closely mirroring the reconnaissance pattern observed prior to the exploitation of CVE-2026-0400. This vulnerability, which allowed remote code execution, was preceded by similar scanning waves. The current surge indicates that threat actors are actively mapping vulnerable SonicWall appliances, likely preparing for mass exploitation. Organizations should consider this a high-confidence threat indicator. Immediate actions include verifying that all SonicWall firmware and SSL VPN configurations are up to date, monitoring for scanning from suspicious IP address ranges, and deploying additional network monitoring to detect potential exploitation attempts. Failure to act could lead to network compromise, data breaches, and ransomware deployment. GreyNoise recommends blocking known scanning sources and implementing virtual patching where full updates are not yet possible.

Why do I care?

This scanning activity indicates adversaries are preparing to exploit SonicWall vulnerabilities, mirroring patterns that preceded a known CVE. Organizations that ignore this signal risk network compromise and data breaches.

What can I do about it?

Ensure all SonicWall devices are patched to the latest version, monitor for scanning from suspicious sources, and block reconnaissance probes at the firewall level. Enable logging and alerting for unusual access attempts.

Classification

Vulnerability, High Severity, Reconnaissance, Vulnerability Scanning

Source

Source feed: GreyNoise Blog | Original source

The AntV Supply Chain Campaign Expands: Microsoft's `durabletask` PyPI Package Compromised

Tue, 19 May 2026 23:00:00 GMT

AI Summary

Microsoft's `durabletask` package on PyPI was compromised in a supply chain attack, following the earlier AntV npm incident. The same campaign appears to target the Python package, potentially exposing users to malicious code. Organizations using `durabletask` should verify package integrity and consult Snyk's vulnerability database for details. The impact could include unauthorized access, data exfiltration, or further compromise of dependent systems. Immediate action includes auditing dependencies and monitoring for anomalous behavior.

Why do I care?

Supply chain attacks on widely used packages can rapidly spread malware across multiple organizations, leading to credential theft, data loss, or ransomware deployment.

What can I do about it?

Utilize dependency scanning tools like Snyk, maintain strict package integrity checks, and enforce multi-factor authentication for all code repositories and package publishing.

Classification

Vulnerability, High Severity, Supply Chain Attack

Source

Source feed: Snyk Blog | Original source