Last updated: July 6, 2026 at 12:53 AM UTC
All 559 Vulnerability 199 Breach 107 Threat 246 Defense 7

Insurance provider Kemper added to Have I Been Pwned with 269,299 breached accounts; new financial-services dataset searchable

Have I Been Pwned has added US insurance provider Kemper to its breach corpus with 269,299 unique email addresses. Kemper offers auto, home, life, and health insurance across the United States. As is typical for HIBP additions, the underlying breach source and disclosure details are not published alongside the entry, but the listing lets individuals and organizations check whether their accounts appear in the leaked dataset. Affected customers should anticipate insurance-themed phishing - claim-status updates, policy-renewal prompts, or premium-refund lures. The addition continues a steady run of US financial-services and insurance breaches surfacing in HIBP through late May.

Check
Check whether your @corp emails appear in HIBP's Kemper corpus. Warn affected staff and customers about insurance-themed phishing (claims, renewals, refunds) over the next 30-60 days.
Affected
269,299 unique email addresses tied to Kemper insurance accounts (auto, home, life, health). Customers are exposed to targeted insurance-themed social engineering.
Fix
Affected individuals: rotate Kemper passwords, enable MFA, scrutinize unsolicited insurance communications. Organizations: add Kemper to breach-monitoring watchlists and brief help desks on potential impersonation.

KnowledgeDeliver LMS zero-day CVE-2026-5426 deploys Godzilla web shell via ViewState deserialization - shared hardcoded ASP.NET machine keys across customers

Mandiant has disclosed that attackers exploited a zero-day in the KnowledgeDeliver learning management system (CVE-2026-5426) to deploy the Godzilla in-memory web shell and a custom-encrypted Cobalt Strike beacon. The flaw is a deserialization issue tied to identical pre-shared ASP.NET machine keys distributed in the vendor's default web.config across all customer deployments installed before February 24, 2026. With the shared machineKey, an attacker forges signed ViewState payloads and achieves unauthenticated RCE at the OS level. The threat actor escalated control to modify the platform's JavaScript files, prompting users to install a fake 'security authentication plugin' that delivered the Cobalt Strike payload.

Check
Inventory KnowledgeDeliver LMS installations and the deployment date. Check web.config for hardcoded machineKey values. Search IIS logs for unusual ViewState payloads since late 2025.
Affected
All KnowledgeDeliver LMS installations deployed before February 24, 2026. The hardcoded ASP.NET machineKey is shared across all customers, enabling forged ViewState attacks for unauthenticated RCE.
Fix
Rotate machineKey to unique per-deployment values immediately. Patch to the latest KnowledgeDeliver release. Hunt for Godzilla/BlueBeam in-memory web shells and Cobalt Strike beacons across IIS application pools.

Charter Communications confirms ShinyHunters breach: 40M records via vishing-compromised Microsoft Entra employee account and Salesforce export

US broadband giant Charter Communications has confirmed a data breach after the ShinyHunters extortion group listed it on its Tor leak site claiming 40 million stolen consumer and business records. ShinyHunters told BleepingComputer the intrusion began April 1 via a vishing attack that compromised an employee's Microsoft Entra account, used to export records from the company's Salesforce instance. Stolen data reportedly includes names, email addresses, addresses, phone numbers, plan information, and some CPNI (Customer Proprietary Network Information). Charter publicly denies CPNI was taken. ShinyHunters' SaaS-extortion playbook continues: Salesforce + Entra/Okta SSO + BPO vishing is the same model used against Instructure and others.

Check
Audit Microsoft Entra and Salesforce admin sign-ins for unusual IPs and large record exports around April 1, 2026. Search service-account activity for bulk data pulls.
Affected
Charter Communications/Spectrum customers (consumer and business). ShinyHunters claims 40M records exfiltrated via vishing of an Entra account. Broader: any org with Salesforce + Entra/Okta SSO + BPO support.
Fix
Enforce phishing-resistant MFA on every Entra account, especially help-desk and BPO identities. Apply Salesforce Shield Event Monitoring to alert on bulk exports. Train BPO/help-desk staff against vishing.

Microsoft Defender for Endpoint adds automatic device isolation as part of automatic attack disruption (preview)

Microsoft has rolled out a preview of automatic device isolation in Microsoft Defender for Endpoint as part of its automatic attack disruption feature. When Defender detects a compromised endpoint, it now disconnects the device from the network without operator action, while preserving the Defender management channel so the host can still be monitored, investigated, and released. Security teams can release a device from containment after triage via 'Release from isolation' on the Device inventory or device page. The feature works only on onboarded end-user workstations. It joins earlier preview controls for blocking traffic to unmanaged endpoints and isolating compromised user accounts.

Check
Review Defender for Endpoint Action Center preview features in the Microsoft 365 Defender portal. Confirm automatic device isolation is enabled for high-risk endpoint groups.
Affected
Organizations relying on Defender for Endpoint where manual response to compromise alerts has historically been slow enough to allow lateral movement or data exfiltration.
Fix
Enable automatic device isolation in preview. Define release-from-isolation runbooks. Pair with automatic user-account isolation already available. Document operator override procedures for false positives.

CISA emergency directive: federal agencies must patch Drupal CVE-2026-9082 by midnight May 27; Imperva sees 15K attacks across 65 countries

CISA has given US federal civilian agencies a midnight Wednesday May 27 deadline to patch CVE-2026-9082, the highly critical Drupal SQL injection added to its Known Exploited Vulnerabilities catalog on Friday. Imperva says it has now observed 15,000+ attack attempts targeting nearly 6,000 individual Drupal sites across 65 countries since disclosure, with gaming and financial services taking almost half. Shadowserver tracks ~670 unpatched Drupal instances still exposed online (272 in North America, 273 in Europe). CISA's directive is mandatory only for FCEB agencies under BOD 22-01, but the agency strongly urges all organizations to patch immediately.

Check
Inventory Drupal sites by branch and version, especially PostgreSQL-backed deployments. FCEB agencies: confirm patch is applied by midnight May 27. Check Imperva and Shadowserver data for any of your IPs.
Affected
All supported Drupal 11.x and 10.x branches before the patched releases (11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, 10.4.10). 6,000 sites already targeted across 65 countries.
Fix
Patch immediately. Apply WAF rules blocking Drupal SQL injection patterns. FCEB agencies must remediate by midnight tonight per BOD 22-01. Prioritize PostgreSQL-backed deployments.

Microsoft issues out-of-band SharePoint RCE patch CVE-2026-45659 for Subscription Edition, 2019, and 2016 servers

Microsoft has released an out-of-band patch for CVE-2026-45659, a remote code execution vulnerability in Microsoft SharePoint Server. The flaw is a deserialization issue and was reported privately by a researcher named MEOW; Microsoft says it is not currently aware of active exploitation but rates it 'less likely to be exploited.' Updates are available for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Last month's CVE-2026-32201 spoofing flaw was actively exploited and machine-key-theft attacks against SharePoint were widespread in 2025, so admins should treat this patch as priority despite the lower-likelihood rating.

Check
Inventory SharePoint deployments by edition (Subscription, 2019, 2016) and confirm patch level. Check for unusual deserialization activity in IIS logs since the patch ships.
Affected
Microsoft SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016 prior to the May 26 out-of-band updates.
Fix
Apply Microsoft's out-of-band CVE-2026-45659 patches across all SharePoint versions. Rotate machine keys after patching - prior SharePoint key-theft incidents enabled persistent post-patch access.

MuddyWater (Seedworm) 'Operation Olalampo' espionage hits 9 countries with DLL sideloading via sentinelmemoryscanner.exe and ChromElevator browser theft

Symantec and Carbon Black, working with Huntress, have documented Operation Olalampo, a new MuddyWater (also tracked as Seedworm) espionage campaign that has hit at least nine countries. The Iran-linked actor uses DLL sideloading by abusing two trusted binaries - sentinelmemoryscanner.exe sideloads sentinelagentcore.dll - to deploy the open-source ChromElevator tool, which steals passwords, cookies, and payment-card data from Chromium browsers while bypassing App-Bound Encryption. The campaign also uses Node.js-based implants that drop PowerShell scripts for reconnaissance, SAM-hive theft, screenshot capture, and SOCKS5 reverse-proxy tunneling. Stolen data has been staged on the public file-transfer service sendit[.]sh.

Check
Hunt Windows endpoints for sentinelmemoryscanner.exe with a sideloaded sentinelagentcore.dll. Check outbound traffic to 157.20.182[.]49 and sendit[.]sh. Watch for Node.js execution on non-developer hosts.
Affected
Organizations in MuddyWater's typical target sectors (telecom, government, defense, energy) across nine countries. Symantec/Carbon Black/Huntress confirm at least one South Korean electronics manufacturer hit.
Fix
Block 157.20.182[.]49 and sendit[.]sh at egress. Apply Huntress and Symantec IoCs. Hunt for ChromElevator browser-credential theft. Restrict Node.js execution on non-developer endpoints.

CERT-In mandates 12-hour patching window for internet-facing KEV vulnerabilities to counter AI-assisted attacks; full risk-tiered SLA blueprint

India's national CERT has published a risk-tiered patch SLA blueprint in response to AI-assisted attack acceleration. Internet-facing systems with KEV-listed vulnerabilities must be remediated within 12 hours; critical externally exposed flaws within 1 day; internal-system KEV within 1 day unless documented compensating controls exist; critical internal flaws on high-value systems within 3 days; high-severity issues within 5 days. CERT-In urges defenders to assume breach, adopt Zero Trust and defense-in-depth, embed secure-by-design into AI workflows, validate via red teaming, and treat AI-system visibility as a first-class governance concern. Mitigations (isolation, WAF, monitoring) are expected when no patch is available.

Check
Inventory your current patch SLAs against CERT-In's tiers. Identify any internet-facing systems with KEV CVEs older than 12 hours. Map AI workflows and governance gaps.
Affected
Any organization with patch SLAs measured in weeks/months on internet-facing systems. AI-assisted attacks compress exploit-development to hours/days; old SLAs are now structurally inadequate.
Fix
Adopt CERT-In's tiered SLA: 12hr for internet-facing KEV, 1d for critical exposed or internal KEV, 3d for critical internal high-value, 5d high-severity. Pair with Zero Trust isolation and WAF controls.

Iran's Nimbus Manticore (UNC1549) accelerated wartime ops with AI-assisted MiniFast backdoor, trojanized Zoom installers, and SEO poisoning of SQL Developer

Check Point has documented Iranian APT Nimbus Manticore (also tracked as UNC1549) accelerating its operations during US Operation Epic Fury rather than going quiet. The campaign hits aviation, software, and defense organizations in the US, Europe, and the Middle East via three waves: career-themed phishing using AppDomain hijacking to deploy MiniJunk (February), a trojanized Zoom installer that hijacks legitimate scheduled tasks to deliver the new MiniFast backdoor (March), and the group's first SEO poisoning campaign distributing a weaponized Oracle SQL Developer installer via getsqldeveloper[.]com (April). MiniFast shows signs of AI-assisted development: defensive coding patterns, verbose error strings, and modular structure.

Check
Search EDR for AppDomain hijacking patterns spawning unsigned DLLs from Microsoft-signed executables. Hunt for trojanized Zoom installers and visits to getsqldeveloper[.]com via DNS logs.
Affected
Aviation, software, defense, and telecom organizations in the US, Europe, and Middle East. Nimbus Manticore targets employees via fake career offers, fake Zoom meetings, and SEO poisoning.
Fix
Apply Check Point IoCs. Block getsqldeveloper[.]com and known Nimbus Manticore C2 infrastructure. Train staff against unsolicited career or meeting-invitation downloads. Strengthen endpoint allowlisting against unsigned DLL sideloading.

Lithuania investigates theft of 600,000 state registry records; opposition leader alleges Russian intelligence; Centre of Registers chief resigns

Lithuanian authorities are investigating the theft of around 600,000 records from the country's Centre of Registers, which holds state registry data. The breach was detected in early April and disclosed publicly only after weeks of internal investigation. Centre of Registers chief Adrijus Jusas resigned Monday, citing years of underinvestment that would need ~€60 million to address. The leader of Lithuania's conservative opposition alleges 'hallmarks of a Russian intelligence operation' and warns the data (including residential addresses linked to sensitive government personnel) could enable surveillance, phishing, and sabotage planning. Lithuanian prosecutors have neither confirmed nor denied Russian involvement.

Check
If your organization has Lithuanian operations or staff with state registry records, treat residential addresses and personal identifiers as compromised. Monitor for targeted phishing and impersonation.
Affected
Lithuanian citizens and residents whose data is held by the Centre of Registers. Sensitive government personnel are at heightened risk per the opposition leader's warning about surveillance use.
Fix
Lithuanian operations: update access credentials per government guidance. Watch for spear-phishing using residential-address pretexts. NATO/EU defenders: assume similar Eastern European registries are next given the precedent.