Last updated: July 6, 2026 at 12:53 AM UTC
All 559 Vulnerability 199 Breach 107 Threat 246 Defense 7

Universal Robots PolyScope 5 cobots: unauthenticated RCE on Dashboard Server (CVE-2026-8153, CVSS 9.8) - patch out

Universal Robots, the Danish maker of the PolyScope 5 collaborative-robot controllers used across manufacturing, logistics, automotive, and healthcare, has patched CVE-2026-8153, a CVSS 9.8 OS command injection in the Dashboard Server interface. The server accepts user-controlled input and passes it to the underlying Linux OS without proper neutralization, so anyone with network access to the Dashboard Server port can achieve unauthenticated remote code execution on the robot controller - effectively a Linux machine wired directly into physical machinery. Vera Mens of Claroty Team82 discovered and reported the flaw through CISA and CERT/CC's VINCE coordination. Exploitation requires the Dashboard Server to be enabled in the UI.

Check
Inventory Universal Robots PolyScope 5 deployments and their firmware version. Identify whether the Dashboard Server is enabled and reachable from any network beyond the management VLAN.
Affected
Universal Robots PolyScope 5 controllers with the Dashboard Server enabled and its port reachable by the attacker. Cobots in manufacturing, logistics, automotive, and healthcare are typical deployments.
Fix
Apply Universal Robots' patch for CVE-2026-8153. Disable the Dashboard Server where not strictly needed. Place cobot controllers on a separate OT VLAN with strict ACLs from corporate networks.

Ubiquiti patches three max-severity UniFi OS flaws (CVE-2026-34908/34909/34910) plus two more - ~100K endpoints exposed online

Ubiquiti has shipped patches for five UniFi OS vulnerabilities, three of which are CVSS-maximum and exploitable by remote unauthenticated attackers. CVE-2026-34908 is an improper access control that lets attackers make unauthorized changes; CVE-2026-34909 is a path traversal that reaches an underlying system account; CVE-2026-34910 is an unauthenticated command injection. Two additional flaws (CVE-2026-33000, a critical command injection, and CVE-2026-34911, a high-severity info disclosure) were also patched. All five came through Ubiquiti's HackerOne program. Censys is tracking close to 100,000 internet-exposed UniFi OS endpoints, around 50,000 of them in the US. Ubiquiti products were previously hijacked into the GRU-operated Moobot botnet.

Check
Inventory UniFi OS devices (Dream Machine, Cloud Key, UNVR, UCG) and their firmware version. Censys-check your egress IPs for exposed UniFi web interfaces and management ports.
Affected
All UniFi OS Consoles (Dream Machine, Cloud Key, UNVR, UCG) before the May 22 patches. Roughly 100,000 internet-exposed endpoints worldwide, with about 50,000 in the United States.
Fix
Apply Ubiquiti's UniFi OS updates immediately via the Network app or controller. Move management interfaces off the public internet. Restrict admin access to a management VLAN behind VPN.

Hunt.io: Saudi Telecom hosts 72% of Middle East C2 servers; 1,350+ servers across 98 providers in 14 countries

Hunt.io has mapped 1,350+ command-and-control servers spread across 98 providers in 14 Middle Eastern countries over three months. Saudi Telecom Company (STC) hosts 981 of them - 72.4% of all observed regional C2 - the largest single-provider concentration the researchers have seen globally. Most of STC's hosting appears to be compromised customer systems rather than deliberate bulletproof hosting, but the effect is the same. Other heavy hosts include SERVERS TECH FZCO (UAE), OMC (Israel), Türk Telekom, and Iraqi provider Regxa, which Hunt.io flags as the highest bulletproof-hosting profile observed. Named campaigns hosted on this infrastructure include Eagle Werewolf espionage, DYNOWIPER attacks on Poland's energy sector, and RondoDox.

Check
Add STC, SERVERS TECH FZCO, OMC, Türk Telekom, and Regxa to your provider-level egress monitoring and threat-intel correlation. Pull Hunt.io's published IoC list for the named campaigns.
Affected
Any organization whose users or systems communicate with Middle Eastern infrastructure. Provider-level visibility (versus per-IP) is now the more durable signal as attackers rotate domains and IPs daily.
Fix
Shift detection rules from per-IP IoCs to provider/ASN-level monitoring where business-justified. Block known bulletproof providers like Regxa at egress. Add Cobalt Strike, AsyncRAT, Mirai, and Sliver beacon hunts.

GitHub confirms 3,800 internal repos stolen after employee installed malicious Nx Console VS Code extension (TeamPCP)

GitHub has confirmed that roughly 3,800 internal repositories were exfiltrated after one of its employees installed a malicious version of the Nx Console VS Code extension. The malicious extension has been pulled and the affected device has been isolated. GitHub's current assessment is that the activity was limited to internal repos and that no customer data stored outside them was touched. The numbers line up with the claim TeamPCP posted on Breached, where they offered the code for at least $50,000. The breach connects this week's Nx Console compromise to the broader TeamPCP campaign that also hit OpenAI and Grafana.

Check
Identify VS Code endpoints with the Nx Console extension. Confirm version is 18.100.0 or newer. Check for cat.py and kitty-monitor IoCs and outbound traffic to attacker C2 published by Nx.
Affected
Any developer machine that installed Nx Console 18.95.0 during the 11-minute window on May 18 (12:36-12:47 UTC). GitHub.com itself confirms 3,800 internal repos exfiltrated from one employee device.
Fix
Update to Nx Console 18.100.0. Audit access from GitHub-employee or contractor devices; rotate every credential, token, and SSH key reachable from machines that ran the trojanized version.

Microsoft Defender zero-days CVE-2026-41091 (SYSTEM LPE) and CVE-2026-45498 (DoS) exploited in attacks, added to CISA KEV

Microsoft has rolled out fixes for two Defender vulnerabilities that have been exploited in zero-day attacks. CVE-2026-41091 is a link-following local privilege escalation in Microsoft Malware Protection Engine 1.1.26030.3008 and earlier that lets attackers gain SYSTEM. CVE-2026-45498 affects Defender Antimalware Platform 4.18.26030.3011 and earlier and triggers denial-of-service. Updates land automatically in Malware Protection Engine 1.1.26040.8 and Antimalware Platform 4.18.26040.7. CISA has added both to its KEV catalog and ordered FCEB agencies to patch within two weeks, by June 3. The same KEV update also added five legacy 2008-2010 Internet Explorer, DirectX, Acrobat, and Windows bugs that CISA suggests are seeing fresh exploitation.

Check
Open Windows Security > Virus & threat protection > Protection Updates and click Check for updates. Verify Antimalware Platform >= 4.18.26040.7 and Malware Protection Engine >= 1.1.26040.8.
Affected
Windows endpoints running Microsoft Malware Protection Engine 1.1.26030.3008 and earlier, or Defender Antimalware Platform 4.18.26030.3011 and earlier. Default config auto-updates, but air-gapped or restricted networks may lag.
Fix
Confirm Defender definitions and platform updates auto-install. FCEB agencies must patch by June 3 per CISA BOD 22-01. Investigate any KEV-listed legacy CVE-2008-4250/2009-1537/2009-3459/2010-0249/2010-0806 hits.

Qualys discloses 9-year-old Linux kernel ptrace flaw CVE-2026-46333 (ssh-keysign-pwn) - root via chage, ssh-keysign, pkexec, accounts-daemon

Qualys has disclosed a 9-year-old privilege management flaw in the Linux kernel that lets an unprivileged local user disclose /etc/shadow and host SSH private keys, then chain four different post-disclosure exploits (chage, ssh-keysign, pkexec, and accounts-daemon) to execute commands as root. The bug is tracked as CVE-2026-46333 and was introduced in November 2016 in the kernel's __ptrace_may_access() function. It affects default installs of Debian, Fedora, and Ubuntu. A proof-of-concept has been released and a public kernel commit landed. Qualys recommends rotating SSH host keys on any host that allowed untrusted local users before patching.

Check
Run uname -r to inventory kernels. Identify hosts that allow untrusted local users (shared dev boxes, multi-tenant CI runners, jump hosts). Search /var/log/auth.log for unusual chage/ssh-keysign/pkexec/accounts-daemon invocations.
Affected
Default installs of Debian, Fedora, and Ubuntu running Linux kernels that include the November 2016 __ptrace_may_access() change. Servers that allow local user shells are at highest risk.
Fix
Apply the latest distribution kernel updates. Temporary workaround: set kernel.yama.ptrace_scope = 2. Rotate SSH host keys and any credentials held by setuid processes on hosts that allowed untrusted local users.

PinTheft Arch Linux LPE: RDS zerocopy double-free turned into io_uring page-cache overwrite, PoC released

The V12 security team has released a working PoC for PinTheft, a Linux kernel local privilege escalation tied to a double-free in the RDS (Reliable Datagram Sockets) zerocopy send path that can be turned into a page-cache overwrite through io_uring fixed buffers. The bug was patched earlier in May but has no assigned CVE yet. Exploitation requires the RDS module to be loaded - default only on Arch Linux among the major distributions - plus io_uring enabled and a readable SUID-root binary. PinTheft joins DirtyDecrypt, Dirty Frag, Fragnesia, and Copy Fail in a recent run of Linux LPE disclosures.

Check
Inventory Arch Linux hosts with `pacman -Q linux`. Check if RDS is loaded via `lsmod | grep rds`. Look for unexpected root shells from low-privilege users in audit logs since 2026-05-20.
Affected
Linux kernels with the RDS module enabled (default only on Arch Linux among common distros) plus io_uring enabled and a readable SUID-root binary. PoC tested on x86_64.
Fix
Apply the latest Arch Linux kernel update. Temporary mitigation: `rmmod rds_tcp rds` and blacklist via /etc/modprobe.d/pintheft.conf. Audit io_uring usage and consider raising its sysctl restrictions.

Microsoft ships mitigation for YellowKey BitLocker bypass (CVE-2026-45585), no patch yet - PoC published, TPM+PIN required

Microsoft has assigned CVE-2026-45585 and shipped mitigation guidance for YellowKey, a Windows BitLocker bypass that anonymous researcher 'Nightmare Eclipse' disclosed last week with a working PoC. The attack places crafted FsTx files on a USB drive or EFI partition, reboots into WinRE, and holds CTRL during boot to drop into a shell with full access to BitLocker-protected drives. Microsoft says no patch is available yet. Mitigations include removing the autofstx.exe entry from Session Manager's BootExecute and reconfiguring BitLocker to require TPM+PIN at startup. Nightmare Eclipse is the same researcher who recently dropped BlueHammer, RedSun, GreenPlasma, UnDefend, and MiniPlasma.

Check
Inventory Windows endpoints with BitLocker enabled. Check whether autofstx.exe is listed in HKLM\System\CurrentControlSet\Control\Session Manager BootExecute. Look for unattended USB media access on shared or kiosk machines.
Affected
Windows endpoints with BitLocker in TPM-only mode (no PIN). YellowKey requires physical access to drop FsTx files on a USB drive or the EFI partition before triggering WinRE boot.
Fix
Remove autofstx.exe from BootExecute and re-establish BitLocker trust for WinRE per CVE-2026-33825 advisory. Reconfigure BitLocker to TPM+PIN. Restrict USB boot and BIOS access on shared endpoints.

SonicWall Gen6 SSL-VPN MFA bypass (CVE-2024-12802) actively exploited - firmware patch alone insufficient, LDAP reconfiguration required

ReliaQuest has documented active in-the-wild exploitation of CVE-2024-12802, a SonicWall Gen6 SSL-VPN MFA bypass that hits Gen6 devices even after they apply the firmware patch. SonicWall's advisory makes clear that on Gen6 hardware, the firmware update alone does not fix it - administrators must also delete the LDAP configuration that uses userPrincipalName, remove cached LDAP users, drop the SSL VPN User Domain back to LocalDomain, reboot, and rebuild the LDAP config without userPrincipalName. Gen7 and Gen8 devices are patched by firmware alone. Intrusions observed between February and March 2026 looked like ransomware initial-access broker activity with 30-60 minute Cobalt Strike and BYOVD attempts.

Check
Inventory SonicWall Gen6 SSL-VPN appliances and confirm the LDAP reconfiguration was done after the firmware patch. Search VPN logs for 30-60 minute logins from new IPs in the last 90 days.
Affected
SonicWall Gen6 SSL-VPN devices running patched firmware but with LDAP still configured to use userPrincipalName in the 'Qualified login name' field. Gen7 and Gen8 are patched by firmware alone.
Fix
On Gen6: delete the existing LDAP config, remove cached LDAP users, drop the SSL VPN User Domain back to LocalDomain, reboot, then rebuild LDAP without userPrincipalName per SonicWall's advisory.

Drupal ships highly critical PostgreSQL RCE fix across 11.x and 10.x - SA-CORE patches now live, Drupal 7 unaffected

Drupal has shipped the highly critical core security release teased by PSA-2026-05-18. The flaw lets attackers achieve remote code execution on Drupal sites running PostgreSQL backends. Fixed versions are 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, and 10.4.10. The releases for supported branches also pull in upstream Symfony and Twig security fixes, making the upgrade essential even on MySQL deployments. Best-effort manual patches are available for end-of-life Drupal 9.5 and 8.9. Drupal 7 is not affected. The Drupal Security Team had warned that working exploits could follow within hours of disclosure, so administrators should patch now.

Check
Inventory Drupal sites, confirm core version, and identify PostgreSQL-backed deployments (highest-impact path). Check for unusual database queries or admin-account changes during the May 20 disclosure window.
Affected
Drupal core 11.3.x, 11.2.x, 11.1.x, 10.6.x, 10.5.x, 10.4.x. Best-effort patches for EOL 9.5 and 8.9. Drupal 7 not affected. PostgreSQL backends face RCE; MySQL deployments still need the upgrade.
Fix
Upgrade Drupal core to 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, or 10.4.10 immediately. For EOL 9.5 and 8.9, apply the manual patches and plan migration to a supported branch.