Last updated: July 6, 2026 at 12:53 AM UTC
All 559 Vulnerability 199 Breach 107 Threat 246 Defense 7

NGINX Rift: 18-year-old heap overflow in the rewrite module lets anyone on the internet crash or take over an NGINX server (CVE-2026-42945)

An AI-discovered bug hidden in NGINX since 2008 lets anyone on the internet crash NGINX worker processes or, with ASLR disabled, run code on the server using a single crafted HTTP request. The flaw, named NGINX Rift (CVE-2026-42945, CVSS 9.2), sits in the rewrite module that powers URL rewriting in almost every NGINX deployment. It triggers when a config uses a rewrite directive with unnamed regex captures and a question mark, followed by another rewrite, if, or set directive - a common pattern in API gateway setups. NGINX runs roughly a third of the websites on the public internet.

Check
Grep your NGINX configs for rewrite directives that combine unnamed captures ($1, $2) with question marks in the replacement, and inventory the NGINX version on every reverse proxy you operate.
Affected
NGINX Open Source 0.6.27 through 1.30.0; NGINX Plus R32 through R36; NGINX Instance Manager, App Protect WAF, Gateway Fabric, and Ingress Controller across multiple versions.
Fix
Upgrade NGINX Open Source to 1.31.0 or 1.30.1; NGINX Plus users to R36 P4 or R32 P6. If patching is delayed, swap unnamed captures for named captures ((?<name>...)) in every affected rewrite directive.

Unpatched Windows BitLocker bypass and SYSTEM elevation PoCs dropped on GitHub by a disgruntled researcher - YellowKey and GreenPlasma hit Windows 11 and Server 2022/2025

A researcher who calls themselves Chaotic Eclipse - and who has weaponized every prior Windows flaw they have leaked this year - dropped working proof-of-concept code for two unpatched zero-days on May 12. YellowKey lets anyone with physical access to a Windows 11 or Server 2022/2025 machine plug in a USB stick, hold CTRL during a reboot into the Windows Recovery Environment, and get a shell with full access to the BitLocker-protected drive. GreenPlasma is a privilege escalation against the CTFMON service that hands an unprivileged user a path to SYSTEM. Independent researchers including Will Dormann and Kevin Beaumont have confirmed that YellowKey works as advertised.

Check
Inventory which Windows 11, Server 2022, and Server 2025 endpoints have BitLocker in TPM-only mode (the default on most consumer hardware), and identify machines that ever leave secured premises.
Affected
Windows 11 and Windows Server 2022/2025 with BitLocker in TPM-only mode. Windows 10 is unaffected. GreenPlasma privilege escalation hits Windows 11 and Server 2022/2025.
Fix
No patch yet. Switch BitLocker from TPM-only to TPM+PIN, set a BIOS or UEFI admin password, and disable USB boot in firmware. Watch for a Microsoft out-of-band release before next Patch Tuesday.

Third Linux kernel root exploit in three weeks - 'Fragnesia' rides the same ESP-in-TCP code path as Dirty Frag and ships with a public proof-of-concept (CVE-2026-46300)

Six days after Dirty Frag was patched, researcher William Bowling and the V12 Security team disclosed Fragnesia - a separate Linux kernel bug in the same ESP-in-TCP networking code that lets any unprivileged local user become root in one command. The public proof-of-concept overwrites /usr/bin/su in memory using a logic flaw that loses track of shared socket-buffer fragments, then re-runs su to drop into a root shell. The on-disk binary is left untouched, which makes the change harder to spot. Tracked as CVE-2026-46300 (CVSS 7.8), it follows Copy Fail (April 29) and Dirty Frag (May 7) in the same family.

Check
List Linux hosts where untrusted users can get a shell (multi-tenant servers, container build farms, CI runners) and verify whether the esp4/esp6/rxrpc module blacklist from Dirty Frag is still in place.
Affected
All Linux kernels released before May 13, 2026, including AlmaLinux 8/9/10, CloudLinux 7h/8/9/10, RHEL, Ubuntu, Debian, and openSUSE. Requires unprivileged user namespace creation enabled.
Fix
Install the patched kernel from your distribution as it lands (AlmaLinux and CloudLinux first), or use KernelCare for rebootless livepatches. Interim mitigation: blacklist esp4, esp6, and rxrpc modules, then drop the page cache.

China-linked FamousSparrow spent three months breaking back into an Azerbaijani oil and gas company through the same Microsoft Exchange flaw - first known China APT hit on South Caucasus energy

Bitdefender researchers documented a China-linked espionage group called FamousSparrow repeatedly compromising an Azerbaijani oil and gas company between late December 2025 and late February 2026. Each time the victim cleaned up, the attackers came back through the same unpatched Microsoft Exchange Server and dropped a new backdoor - first Deed RAT (a ShadowPad relative used by several Chinese groups), then TernDoor. The group overlaps with the Earth Estries cluster, which itself overlaps with Salt Typhoon. This is the first time FamousSparrow has been seen targeting South Caucasus energy infrastructure, a region whose role in supplying gas to Europe grew sharply after Russia's Ukraine transit deal expired.

Check
Audit Microsoft Exchange Server patch status across the estate, hunt for DLL sideloading patterns where signed executables load suspicious libraries, and search proxy and DNS logs for connections to sentinelonepro[.]com.
Affected
Internet-exposed Microsoft Exchange Server instances. Energy sector organizations operating in or partnering with Azerbaijan, Armenia, and Georgia, plus their European downstream gas customers.
Fix
Patch Exchange to the current security update and confirm ProxyNotShell-class fixes are applied. Rotate credentials exposed during prior intrusions, hunt for Deed RAT and TernDoor IoCs from Bitdefender's report, and block sentinelonepro[.]com.

GemStuffer campaign turned RubyGems into a clandestine data drop - 150+ malicious gems hid scraped UK council portal pages inside Ruby packages

Socket researchers found more than 150 RubyGems packages doing something the registry was never built to do: smuggling scraped data out of UK council websites. The malicious gems fetch pages from Lambeth, Wandsworth, and Southwark's public meeting portals, bundle the responses into a normal-looking .gem archive, and push it back to RubyGems using a hardcoded API key. The attacker then downloads the data as a public gem version. Whether GemStuffer is registry spam, a worm being tested, or a deliberate trial of package-registry abuse, the mechanics are intentional - and it landed the same week RubyGems froze new account signups over a separate flood of malicious packages.

Check
Search dependency manifests and gem caches for gems published from newly registered RubyGems accounts in May 2026 with junk names, and review outbound traffic from CI runners for connections to council .gov.uk subdomains.
Affected
Any developer workstation, CI agent, or container image that allows arbitrary outbound gem installs from rubygems.org. UK local government portals (Lambeth, Wandsworth, Southwark) had public pages scraped through this channel.
Fix
Restrict gem installs to internal mirrors with allowlists, block outbound HTTP to council .gov.uk domains from build agents, and use Socket's published GemStuffer indicators to block known malicious gems.

One unpatched Quest KACE box at a Boston MSP exposed 60+ named client organizations - law enforcement, schools, healthcare, and government on one MariaDB dump (CVE-2025-32975)

Quest KACE has a year-old maximum-severity authentication bypass (CVE-2025-32975, CVSS 10.0). Hunt.io researchers now report that an attacker exploited an unpatched KACE appliance at a Boston-area managed services provider called HIQ - then left their entire toolkit on a publicly accessible server with directory listing turned on. The exfiltrated 512 MB MariaDB dump turned out to contain the full appliance-managed endpoint list for over 60 named client organizations spanning law enforcement, government, healthcare, education, and private companies. None of those 60-plus organizations had any KACE relationship of their own - they were just customers of the MSP that ran it unpatched.

Check
Inventory Quest KACE SMA instances reachable from the public internet, check their version against the May 2025 patched build, and review helpdesk tickets and asset records for sensitive material that would surface in a database dump.
Affected
Quest KACE Systems Management Appliance (SMA) instances at or below the pre-May 2025 patched version. CVSS 10.0 unauthenticated SSO impersonation. CISA KEV-listed since April 2026.
Fix
Apply Quest's May 2025 patched version immediately. Remove KACE SMA from direct internet exposure (place behind VPN or firewall), rotate KACE admin credentials, and audit for unauthorized accounts created via runkbot.exe.

Backend of 'The Gentlemen' ransomware operation leaked - 9 named operators, ransom chat transcripts, and chain-victimization tactics now public

The Gentlemen, the second most prolific public ransomware operation of 2026 with over 320 listed victims, has had its own internal database leaked. Check Point Research and others obtained the data after a breach of the group's hosting provider 4VPS exposed their Rocket backend. The leak unmasks roughly 9 named operators centered on an administrator known as zeta88 (aka hastalamuerte), who built the RaaS panel in three days using DeepSeek and Qwen AI coding assistants, runs payouts, and joins encryption events personally. Internal chats also confirm chain-victimization: in April the group hit a UK software consultancy and then weaponized stolen client credentials to compromise one of the consultancy's customers in Turkey.

Check
Pull historical access logs for Fortinet and Cisco edge appliances and check for credentials matching infostealer log dumps, then hunt for NTLM relay activity consistent with CVE-2025-33073 in Windows event logs.
Affected
Organizations exposed to The Gentlemen include any running FortiGate or Cisco edge gear with CVE-2024-55591, CVE-2025-32433, or CVE-2025-33073 unpatched, and downstream clients of compromised IT service providers.
Fix
Patch CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073. Enforce MFA on every edge-management interface, rotate credentials that appear in infostealer logs, and load Check Point's 'Thus Spoke The Gentlemen' IoCs into your EDR and firewall blocklists.

BWH Hotels (Best Western's parent) had attackers in its reservation system for over six months - guests' contact details and stay records exposed across Best Western, WorldHotels, and SureStay brands

BWH Hotels - the global hospitality group behind Best Western, WorldHotels, and Sure Hotels, with 4,000+ properties in over 100 countries and 53 million loyalty members - has disclosed that attackers were inside one of its guest reservation web applications for more than six months. The intrusion ran from October 14, 2025, to April 22, 2026, when BWH finally detected unauthorized activity. The hackers accessed names, email addresses, phone numbers, postal addresses, reservation numbers, stay dates, and any special requests for an undisclosed number of guests. Payment data sat with a third-party processor and was not affected. No threat actor has claimed the breach so far.

Check
Search corporate travel and expense systems for stays at BWH-branded properties between October 2025 and April 2026, and warn frequent business travelers to treat any unexpected reservation emails as suspect.
Affected
BWH Hotels guests with reservations in the affected web application between October 14, 2025, and April 22, 2026. Brands include Best Western, Best Western Hotels and Resorts, WorldHotels, SureStay, and Sure Hotels.
Fix
Treat any unexpected emails or texts referencing past BWH stays as untrusted, even if the details match. Visit the booking property's verified website directly instead of clicking links, and rotate any reused passwords.

Skoda Auto's German online shop breached via e-commerce software flaw - customer names, addresses, phones, and password hashes exposed; server logs cannot confirm full exfiltration

Skoda Auto, the Volkswagen Group's Czech-built carmaker with 34,000 employees and 27 billion euros in annual sales, disclosed that attackers exploited a flaw in its German online shop software to access customer data. The breach hit shop.skoda-auto.de, not Skoda's global systems or the Skoda Connect portal. Exposed information includes names, addresses, email addresses, phone numbers, order history, account data, and password hashes. Payment card details were not stored on the affected system. Skoda took the shop offline, patched the flaw, and engaged external forensics, but admitted its server logs cannot retrospectively confirm exactly what data was copied out during the intrusion window.

Check
Check the email account used for any past Skoda online shop orders, search your password manager for credentials reused across Skoda and other services, and watch for German-language phishing referencing real order numbers.
Affected
Customers who created an account or placed an order on shop.skoda-auto.de (Skoda Auto Germany's online store). The Skoda Connect Portal and Skoda's global systems are not affected per the company.
Fix
Change the Skoda online shop password and any other service using the same credentials, and enable MFA where available. Do not click links in emails or texts about Skoda orders; verify directly through the shop website.

Telehealth aggregator OpenLoop Health confirms 716,000 patient records stolen in a 24-hour intrusion in January - downstream consumer brands still unnamed

OpenLoop Health, an Iowa-based telehealth infrastructure company that supplies clinicians and prescription processing to dozens of consumer telehealth platforms, has confirmed via the HHS breach portal that a January 2026 incident affected 716,000 individuals. Attackers were inside its systems for only one day - January 7 to 8 - but exfiltrated names, addresses, email addresses, dates of birth, and medical information. Social Security numbers and electronic health records were not accessed. A threat actor called Stuckin2019 claimed responsibility and put samples on a hacking forum; OpenLoop reportedly paid them and the listing was taken down. Because OpenLoop is white-label, affected patients enrolled through many different consumer telehealth brands.

Check
Search HR and benefits records for employee enrollments in telehealth programs (weight loss, men's health, hormone therapy) that may run on OpenLoop's backend, and review supplier security questionnaires for any telehealth vendor.
Affected
Patients of any consumer telehealth platform that uses OpenLoop Health as its clinical infrastructure provider. 716,000 individuals confirmed via HHS OCR; threat actor Stuckin2019 claimed 1.6 million.
Fix
Affected individuals should enroll in the free IDX credit and identity monitoring OpenLoop is offering, and watch for medical-themed phishing for at least 12 months. Treat unexpected appointment reminders or prescription notices as suspect until verified.