Universal Robots, the Danish maker of the PolyScope 5 collaborative-robot controllers used across manufacturing, logistics, automotive, and healthcare, has patched CVE-2026-8153, a CVSS 9.8 OS command injection in the Dashboard Server interface. The server accepts user-controlled input and passes it to the underlying Linux OS without proper neutralization, so anyone with network access to the Dashboard Server port can achieve unauthenticated remote code execution on the robot controller - effectively a Linux machine wired directly into physical machinery. Vera Mens of Claroty Team82 discovered and reported the flaw through CISA and CERT/CC's VINCE coordination. Exploitation requires the Dashboard Server to be enabled in the UI.
Ubiquiti has shipped patches for five UniFi OS vulnerabilities, three of which are CVSS-maximum and exploitable by remote unauthenticated attackers. CVE-2026-34908 is an improper access control that lets attackers make unauthorized changes; CVE-2026-34909 is a path traversal that reaches an underlying system account; CVE-2026-34910 is an unauthenticated command injection. Two additional flaws (CVE-2026-33000, a critical command injection, and CVE-2026-34911, a high-severity info disclosure) were also patched. All five came through Ubiquiti's HackerOne program. Censys is tracking close to 100,000 internet-exposed UniFi OS endpoints, around 50,000 of them in the US. Ubiquiti products were previously hijacked into the GRU-operated Moobot botnet.
Hunt.io has mapped 1,350+ command-and-control servers spread across 98 providers in 14 Middle Eastern countries over three months. Saudi Telecom Company (STC) hosts 981 of them - 72.4% of all observed regional C2 - the largest single-provider concentration the researchers have seen globally. Most of STC's hosting appears to be compromised customer systems rather than deliberate bulletproof hosting, but the effect is the same. Other heavy hosts include SERVERS TECH FZCO (UAE), OMC (Israel), Türk Telekom, and Iraqi provider Regxa, which Hunt.io flags as the highest bulletproof-hosting profile observed. Named campaigns hosted on this infrastructure include Eagle Werewolf espionage, DYNOWIPER attacks on Poland's energy sector, and RondoDox.
GitHub has confirmed that roughly 3,800 internal repositories were exfiltrated after one of its employees installed a malicious version of the Nx Console VS Code extension. The malicious extension has been pulled and the affected device has been isolated. GitHub's current assessment is that the activity was limited to internal repos and that no customer data stored outside them was touched. The numbers line up with the claim TeamPCP posted on Breached, where they offered the code for at least $50,000. The breach connects this week's Nx Console compromise to the broader TeamPCP campaign that also hit OpenAI and Grafana.
Microsoft has rolled out fixes for two Defender vulnerabilities that have been exploited in zero-day attacks. CVE-2026-41091 is a link-following local privilege escalation in Microsoft Malware Protection Engine 1.1.26030.3008 and earlier that lets attackers gain SYSTEM. CVE-2026-45498 affects Defender Antimalware Platform 4.18.26030.3011 and earlier and triggers denial-of-service. Updates land automatically in Malware Protection Engine 1.1.26040.8 and Antimalware Platform 4.18.26040.7. CISA has added both to its KEV catalog and ordered FCEB agencies to patch within two weeks, by June 3. The same KEV update also added five legacy 2008-2010 Internet Explorer, DirectX, Acrobat, and Windows bugs that CISA suggests are seeing fresh exploitation.
Qualys has disclosed a 9-year-old privilege management flaw in the Linux kernel that lets an unprivileged local user disclose /etc/shadow and host SSH private keys, then chain four different post-disclosure exploits (chage, ssh-keysign, pkexec, and accounts-daemon) to execute commands as root. The bug is tracked as CVE-2026-46333 and was introduced in November 2016 in the kernel's __ptrace_may_access() function. It affects default installs of Debian, Fedora, and Ubuntu. A proof-of-concept has been released and a public kernel commit landed. Qualys recommends rotating SSH host keys on any host that allowed untrusted local users before patching.
The V12 security team has released a working PoC for PinTheft, a Linux kernel local privilege escalation tied to a double-free in the RDS (Reliable Datagram Sockets) zerocopy send path that can be turned into a page-cache overwrite through io_uring fixed buffers. The bug was patched earlier in May but has no assigned CVE yet. Exploitation requires the RDS module to be loaded - default only on Arch Linux among the major distributions - plus io_uring enabled and a readable SUID-root binary. PinTheft joins DirtyDecrypt, Dirty Frag, Fragnesia, and Copy Fail in a recent run of Linux LPE disclosures.
Microsoft has assigned CVE-2026-45585 and shipped mitigation guidance for YellowKey, a Windows BitLocker bypass that anonymous researcher 'Nightmare Eclipse' disclosed last week with a working PoC. The attack places crafted FsTx files on a USB drive or EFI partition, reboots into WinRE, and holds CTRL during boot to drop into a shell with full access to BitLocker-protected drives. Microsoft says no patch is available yet. Mitigations include removing the autofstx.exe entry from Session Manager's BootExecute and reconfiguring BitLocker to require TPM+PIN at startup. Nightmare Eclipse is the same researcher who recently dropped BlueHammer, RedSun, GreenPlasma, UnDefend, and MiniPlasma.
ReliaQuest has documented active in-the-wild exploitation of CVE-2024-12802, a SonicWall Gen6 SSL-VPN MFA bypass that hits Gen6 devices even after they apply the firmware patch. SonicWall's advisory makes clear that on Gen6 hardware, the firmware update alone does not fix it - administrators must also delete the LDAP configuration that uses userPrincipalName, remove cached LDAP users, drop the SSL VPN User Domain back to LocalDomain, reboot, and rebuild the LDAP config without userPrincipalName. Gen7 and Gen8 devices are patched by firmware alone. Intrusions observed between February and March 2026 looked like ransomware initial-access broker activity with 30-60 minute Cobalt Strike and BYOVD attempts.
Drupal has shipped the highly critical core security release teased by PSA-2026-05-18. The flaw lets attackers achieve remote code execution on Drupal sites running PostgreSQL backends. Fixed versions are 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, and 10.4.10. The releases for supported branches also pull in upstream Symfony and Twig security fixes, making the upgrade essential even on MySQL deployments. Best-effort manual patches are available for end-of-life Drupal 9.5 and 8.9. Drupal 7 is not affected. The Drupal Security Team had warned that working exploits could follow within hours of disclosure, so administrators should patch now.