Last updated: July 6, 2026 at 12:53 AM UTC
All 559 Vulnerability 199 Breach 107 Threat 246 Defense 7

Second maximum-severity Cisco Catalyst SD-WAN auth bypass exploited as a zero-day by sophisticated UAT-8616 actor - CISA gives federal agencies until May 17 to patch (CVE-2026-20182)

Cisco disclosed and patched a second perfect-score authentication bypass in its Catalyst SD-WAN Controller and Manager (formerly vSmart and vManage). The bug, CVE-2026-20182 (CVSS 10.0), was found by Rapid7 while investigating the earlier CVE-2026-20127 wave, and lives in the same vdaemon service over DTLS port 12346. An unauthenticated attacker can become a trusted peer of the controller, log in as a privileged internal account, hit the NETCONF interface, and rewrite the entire SD-WAN fabric. Cisco Talos already attributes limited in-the-wild exploitation to UAT-8616, an actor with operational-relay-box ties that has been targeting Cisco SD-WAN since 2023.

Check
Identify on-prem and cloud Cisco Catalyst SD-WAN Controller and Manager instances, compare any successful peer IPs to the configured System IPs under WebUI > Devices > System IP, and open a Cisco TAC case for unknown peers.
Affected
Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage) in on-prem and Cisco-managed SD-WAN Cloud deployments. Maximum severity (CVSSv3 10.0).
Fix
Upgrade to the fixed releases listed in Cisco advisory cisco-sa-sdwan-rpa2-v69WY2SW immediately - CISA Emergency Directive 26-03 set the federal deadline at May 17, 2026. Restrict internet exposure of UDP/12346 to trusted peers only.

Critical 'Dead.Letter' use-after-free in Exim mail server enables unauthenticated remote code execution over TLS - GnuTLS builds only (CVE-2026-45185)

Exim, the open-source mail transfer agent that ships as default on Debian and powers a large slice of internet mail, has a critical use-after-free in how it parses message bodies sent with the BDAT chunking extension over TLS. The flaw, CVE-2026-45185 (CVSS 9.8) and nicknamed Dead.Letter by discoverer XBOW, triggers when a TLS connection closes via close_notify mid-BDAT and Exim then processes one more cleartext byte. That byte gets written into already-freed memory, corrupting the heap, and XBOW turned it into an unauthenticated RCE primitive. Only Exim builds compiled with USE_GNUTLS=yes are affected; OpenSSL builds are not.

Check
Check installed Exim version and verify how the package was built (GnuTLS vs OpenSSL). Look for EHLO responses on TCP/25, /465, and /587 that advertise both STARTTLS and CHUNKING from any internet-facing MTA you own.
Affected
Exim versions 4.97 through 4.99.2 compiled with USE_GNUTLS=yes (the Debian default). Affects internet-facing MTAs that advertise both STARTTLS and CHUNKING (BDAT) - common on ISPs, shared hosting, university mail, and small relays.
Fix
Upgrade to Exim 4.99.3 or the matching distribution package (Debian DSA-6265-1 covers oldoldstable, oldstable, stable; Ubuntu 24.04 LTS shipped on May 12). Where patching is blocked, rebuild against OpenSSL or restrict SMTP ports to known peers.

Pwn2Own Berlin Day 1: $523,000 paid for 24 zero-days - Microsoft Edge sandbox escape, three Windows 11 privilege escalations, Red Hat root, and LiteLLM, OpenAI Codex, and NVIDIA software all fall

Day one of the Pwn2Own Berlin 2026 hacking contest at OffensiveCon paid out 523,000 dollars across 24 unique zero-days, with Trend Micro's Zero Day Initiative reporting wins against fully patched Microsoft Edge, Windows 11, Red Hat Enterprise Linux for Workstations, NVIDIA Container Toolkit and Megatron Bridge, OpenAI Codex, and LiteLLM. Orange Tsai's four-bug logic chain that escaped the Edge sandbox took the biggest single prize at 175,000 dollars. An Anthropic Claude Code entry was ruled a collision (the bug was already known to the vendor). Each affected vendor now has 90 days to ship a fix before ZDI publishes technical details.

Check
Inventory exposure to the targeted products (Edge, Windows 11, RHEL Workstations, NVIDIA Container Toolkit, LiteLLM, OpenAI Codex, Mozilla Firefox) and prepare an accelerated patch window for the next 90 days.
Affected
Fully patched Microsoft Edge, Windows 11, Red Hat Enterprise Linux for Workstations, NVIDIA Container Toolkit, NVIDIA Megatron Bridge, OpenAI Codex, LiteLLM. CVEs are not yet assigned; vendors have 90 days from May 14 to ship fixes.
Fix
Subscribe to ZDI advisory notifications and upstream vendor security feeds. As patches land over the next 90 days, prioritize Edge and Windows 11 LPE fixes - sandbox escapes plus local privilege escalations chain directly into endpoint takeover.

TeamPCP Shai-Hulud aftermath: OpenAI rotates macOS code-signing certificates after employee devices breached, TeamPCP advertises 450 Mistral AI source repositories for $25K

Two days after the Mini Shai-Hulud worm tore through TanStack and Mistral AI packages, the named-victim count grew sharply. OpenAI confirmed that two employee devices were compromised through the TanStack supply-chain chain and that a limited subset of internal source code repositories had credential material exfiltrated; the company is rotating its macOS code-signing certificates and tells Mac users they must update ChatGPT Desktop, Codex, and Atlas apps by June 12, 2026, or the apps will stop launching. TeamPCP separately listed 450 Mistral AI private repositories on a criminal forum for 25,000 dollars. Mistral confirmed a codebase management system was temporarily compromised on May 12 but says hosted services and user data were not impacted.

Check
Audit which developer workstations had any TanStack, Mistral AI, UiPath, OpenSearch, or Guardrails AI npm or PyPI packages installed since May 8, and review GitHub audit logs for token use from those machines.
Affected
Mac users of OpenAI ChatGPT Desktop, OpenAI Codex CLI, and Atlas browser apps - signed with the rotated certificates and must update before June 12, 2026. Customers of Mistral AI relying on private repos for SDK pinning.
Fix
Update affected OpenAI macOS apps before June 12. Rotate GitHub PATs, npm and PyPI tokens, cloud secrets, and SSH keys exposed on impacted developer machines. Pin Mistral and TanStack packages to known-clean releases.

Belarus-aligned FrostyNeighbor (Ghostwriter) running a new geofenced PDF phishing campaign against Ukrainian government - Ukrainian IPs get malware, everyone else gets a clean PDF

ESET researchers documented a new wave of activity from FrostyNeighbor (a.k.a. Ghostwriter, UNC1151, UAC-0057), the Belarus-aligned group that has been targeting Ukraine, Poland, and Lithuania since 2016. Since March 2026, the group has been sending spear-phishing PDFs impersonating Ukrainian telecom operator Ukrtelecom. The lure server checks the visitor's IP: Ukrainian addresses get a malicious RAR archive that drops a JavaScript version of PicassoLoader, which in turn pulls down a Cobalt Strike Beacon, while everyone else just sees a clean decoy PDF. Operators appear to manually approve which fingerprinted victims actually get the implant.

Check
Hunt email gateways and proxies for spear-phishing PDFs impersonating Ukrtelecom, search endpoint telemetry for JavaScript children of wscript.exe or cscript.exe running PicassoLoader behavior, and review outbound C2 callbacks from defense-sector users.
Affected
Ukrainian government, military, and defense organizations. Polish and Lithuanian industrial manufacturing, healthcare and pharma, logistics, and government bodies. Risk is highest for any organization with Eastern European operations.
Fix
Block known FrostyNeighbor domains and IPs from ESET's report at the network edge, deploy detections for JavaScript-stage PicassoLoader and Cobalt Strike, restrict execution of downloaded scripts via AppLocker, and brief Eastern European staff on the Ukrtelecom lure.

Iran-linked MuddyWater (Seedworm) spent a week inside a major South Korean electronics maker - DLL sideloading off Fortemedia audio and SentinelOne binaries, ChromElevator credential theft

Symantec's Threat Hunter Team detailed a global cyber-espionage campaign by MuddyWater (a.k.a. Seedworm, Static Kitten, Temp Zagros), an APT linked to Iran's Ministry of Intelligence and Security. The group hit at least nine organizations on four continents in Q1 2026 - including a major unnamed South Korean electronics manufacturer where attackers maintained access from February 20 to 27. They abused signed legitimate binaries fmapp.exe (a Fortemedia audio utility) and sentinelmemoryscanner.exe (a SentinelOne component) to sideload malicious DLLs called fmapp.dll and sentinelagentcore.dll, both carrying the ChromElevator post-exploitation tool that lifts data from Chrome-based browsers. Stolen files were staged through public file-transfer service sendit[.]sh to blend in.

Check
Hunt endpoints for fmapp.exe or sentinelmemoryscanner.exe loading non-standard DLLs, search proxy and DNS logs for connections to sendit[.]sh from non-IT users, and review Chrome profile access patterns from sideloaded DLL contexts.
Affected
High-tech manufacturing, electronics, industrial firms, financial services, and government agencies with intellectual-property or downstream-customer value to Iran. Operations in Asia and the Middle East are most exposed, but victims span four continents.
Fix
Add detection rules for fmapp.dll and sentinelagentcore.dll in unexpected paths, block sendit[.]sh outbound where it has no business need, watch for unusual Node.js process trees spawning cmd.exe, and review LSASS access events around the 90-second beaconing window.

Initial access broker KongTuke pivots from web lures to Microsoft Teams - impersonates IT help desk, drops ModeloRAT in five minutes

ReliaQuest researchers say initial access broker KongTuke has shifted from web-based ClickFix and FileFix lures to Microsoft Teams social engineering, taking as little as five minutes to gain persistent access. The attacker reaches employees from one of five rotating Microsoft 365 tenants, uses Unicode whitespace tricks to make the display name look like internal IT help desk, then talks the victim through pasting a PowerShell command. That command downloads a ZIP from Dropbox containing a portable WinPython runtime and a Python-based RAT called ModeloRAT. The new ModeloRAT variant adds a five-server C2 pool with automatic failover, self-update, and randomized URL paths, and several major EDR products did not detect it.

Check
Search Microsoft 365 audit logs for inbound external Teams chats from new or low-trust tenants, hunt endpoint telemetry for pythonw.exe running from %APPDATA%\WPy64-31401 (or similar WinPython paths), and review PowerShell logs for clipboard-paste-driven commands.
Affected
Any enterprise that accepts inbound Microsoft Teams chats and calls from external tenants, especially help-desk-themed approaches. Initial access broker activity is typically resold to ransomware operators within days of compromise.
Fix
Restrict external Teams chat to allowlisted partners, enforce verified caller display in Teams admin, train staff that real IT never asks for a PowerShell paste, and add EDR rules for portable Python interpreters spawning from %APPDATA%.

PraisonAI multi-agent framework hit by internet scanners 3 hours 44 minutes after auth-bypass advisory landed (CVE-2026-44338) - 7,100-star AI project shipped 'AUTH_ENABLED = False' by default

PraisonAI, an open-source multi-agent orchestration framework with about 7,100 GitHub stars, shipped a legacy Flask API server with authentication hard-coded off (AUTH_ENABLED = False, AUTH_TOKEN = None). When the GitHub advisory and CVE-2026-44338 (CVSS 7.3) became public at 13:56 UTC on May 11, Sysdig's threat research honeypots saw a scanner identifying itself as CVE-Detector/1.0 probing the exact vulnerable endpoint at 17:40 UTC the same day - just 3 hours and 44 minutes later. The scanner enumerated /agents to confirm the auth bypass worked, then moved on. The actual impact ceiling depends on whatever the operator's agents.yaml workflow is configured to do.

Check
Search dependency manifests for PraisonAI versions 2.5.6 through 4.6.33, check whether the legacy api_server.py is exposed on port 8080 or similar to the public internet, and review web access logs for User-Agent CVE-Detector/1.0 against /agents endpoints.
Affected
PraisonAI Python package versions 2.5.6 through 4.6.33 when the legacy Flask api_server.py is used. The sample API deployment YAML inherits host: 0.0.0.0 with auth_enabled: false without warning.
Fix
Upgrade PraisonAI to 4.6.34 or later and migrate off the legacy api_server.py entrypoint. Bind to 127.0.0.1 for token-less dev work. Rotate any credentials referenced in agents.yaml and audit model-provider billing from May 11 onward.

West Pharmaceutical Services hit by ransomware - $3B injectable-packaging supplier disclosed data theft and encryption in SEC 8-K, global shipping and manufacturing disrupted

West Pharmaceutical Services - the Pennsylvania-based S&P 500 maker of injectable pharmaceutical packaging and drug delivery components, with annual revenues over $3 billion and 10,800 employees - filed an SEC 8-K disclosing a 'material cybersecurity attack.' The company detected the intrusion on May 4, 2026, and confirmed on May 7 that attackers had exfiltrated data and encrypted certain systems. West took infrastructure offline globally for containment, engaged Palo Alto Networks' Unit 42 for forensics, and partially restored core enterprise, shipping, and manufacturing systems by May 13. No ransomware group has publicly claimed the attack, and West says it has 'taken steps intended to mitigate the risk of dissemination of the exfiltrated data.'

Check
Check whether your organization is a downstream customer of West Pharmaceutical Services (injectable vials, syringes, stoppers, drug delivery components), audit purchase orders and delivery delays from May 4 onward, and review supplier-risk assessments.
Affected
Customers and supply-chain partners of West Pharmaceutical Services - primarily biopharma manufacturers and contract drug fillers that depend on West for injectable packaging and delivery systems. Scope of stolen data not yet disclosed.
Fix
Engage West directly for an authoritative status update on your specific product lines, activate alternate-supplier contingencies for time-critical injectables, and treat any new emails referencing West order numbers as untrusted until verified through known account contacts.

Broadcom patches macOS local privilege escalation in VMware Fusion - SETUID TOCTOU lets unprivileged users get root on the host (CVE-2026-41702)

Broadcom released a security update for VMware Fusion to fix CVE-2026-41702, a high-severity local privilege escalation that lets any non-administrative user on a Mac running Fusion become root on the host. The flaw is a time-of-check time-of-use race condition inside a SETUID binary used by Fusion - the kind of bug that turns a foothold on a developer workstation into full host control. Researcher Mathieu Farrell reported it privately. Broadcom rated the issue 'important' (CVSSv3 7.8). The advisory landed the same week as Pwn2Own Berlin, where VMware ESXi exploits can earn participants up to 200,000 dollars - Broadcom is on-site.

Check
Inventory macOS endpoints with VMware Fusion installed (especially developer, security research, and lab fleets), check the installed Fusion version against the patched 26H1 release, and review who has local user access on those Macs.
Affected
VMware Fusion 25H2 on macOS. Exploit requires local user access to the Mac but not administrative privileges - so any shared, lab, or developer workstation is in scope.
Fix
Update VMware Fusion to 26H1 from the Broadcom Support Portal. On managed Mac fleets, push the update through MDM. Until patched, restrict shared access to Fusion-equipped Macs and prefer admin-only accounts for hands-on lab work.