Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: actively-exploited (70 articles)Clear

Critical Oracle E-Business Suite flaw now exploited for unauthenticated takeover

Attackers have begun exploiting a critical flaw in Oracle E-Business Suite, the financial and operations platform used by large enterprises, threat intelligence firm Defused reports. The bug (CVE-2026-46817), rated 9.8, sits in the File Transmission component of Oracle Payments and lets an unauthenticated attacker with HTTP access take over the system through a low-complexity attack. Oracle patched it in its May 2026 update, but exploitation began over the weekend despite no public proof-of-concept existing, meaning attackers built their own. Observed payloads attempt to read sensitive system files. Shadowserver tracks more than 450 EBS instances exposed online, many in North America and Asia, with unknown numbers still unpatched.

Check
Identify internet-facing Oracle E-Business Suite instances, confirm whether the May 2026 Critical Patch Update is applied, and review logs for suspicious requests to the Payments component and unexpected system-file access.
Affected
Oracle E-Business Suite versions 12.2.3 through 12.2.15 with the Payments component reachable over HTTP (CVE-2026-46817); unauthenticated attackers can fully compromise the system, and a private exploit is already in use.
Fix
Apply Oracle's May 2026 Critical Patch Update immediately, restrict EBS access to trusted networks, and run a compromise assessment if patching was delayed, since exploitation is underway without public exploit code.

Ubiquiti UniFi and Lantronix flaws now exploited; CISA sets June 26 deadline

CISA has confirmed active exploitation of four critical flaws in Ubiquiti UniFi OS and Lantronix EDS5000 devices, adding them to its Known Exploited Vulnerabilities catalog with a June 26 deadline for federal agencies. Three UniFi OS bugs (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910), each rated 10.0, can be chained for unauthenticated remote code execution and root; attackers were seen creating rogue admin accounts. The Lantronix flaw (CVE-2025-67038) is an unauthenticated root command injection in the EDS5000 serial console server. Ubiquiti patched UniFi OS Server in version 5.0.8, and Lantronix in firmware 2.2.0.0R1. Compromised network appliances let attackers pivot deep into internal networks.

Check
Inventory Ubiquiti UniFi OS consoles and gateways and any Lantronix EDS5000 device servers, confirm their firmware versions, and review logs for unexpected admin accounts or commands, especially on internet-reachable management interfaces.
Affected
UniFi OS devices before Server version 5.0.8 (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910) and Lantronix EDS5000 on firmware 2.1.0.0R3 (CVE-2025-67038); unauthenticated attackers can reach root and pivot inward.
Fix
Update UniFi OS to 5.0.8 or later and Lantronix EDS5000 to firmware 2.2.0.0R1 before the June 26 deadline, and restrict device management interfaces to trusted networks until patched.

Cisco Unified CM flaw now exploited to gain root on phone systems

A flaw in Cisco Unified Communications Manager, the system that runs enterprise phone and call infrastructure, is now being exploited in attacks. The bug (CVE-2026-20230) is a server-side request forgery that lets an unauthenticated attacker send a crafted HTTP request to write files onto the underlying system, which can then be used to escalate to root and fully take over the server. Cisco patched it on June 3 and rates it critical; public exploit code has been available since, and security firms now see active exploitation attempts. The flaw is only exploitable when the WebDialer service is enabled, which is not the default.

Check
Check whether your Cisco Unified CM or Session Management Edition deployments have the WebDialer service enabled and confirm the software version, then review system logs for unexpected file writes or webshells.
Affected
Cisco Unified CM and Unified CM SME with the WebDialer service enabled (CVE-2026-20230); version 14 before 14SU6 and version 15 before 15SU5, especially with management interfaces reachable by attackers.
Fix
Patch to Cisco Unified CM 14SU6 or apply the version 15 interim fix, or disable the WebDialer service if it is not needed, and restrict management interfaces to trusted networks.

Hackers mass-exploit Gravity SMTP WordPress flaw to steal email API keys

Attackers are mass-exploiting a flaw in Gravity SMTP, a WordPress email plugin installed on about 100,000 sites, to harvest credentials without any login. The bug (CVE-2026-4020) leaves a REST API endpoint with a permission check that always passes, so a single unauthenticated request returns a 365 KB system report containing API keys, secrets, and OAuth tokens for connected email services like Amazon SES, Mailjet, and Zoho, plus detailed software-stack information. Wordfence has blocked more than 17 million attempts, with activity spiking around June 6 and 7. A patch shipped in version 2.1.5, but updating does not revoke keys attackers may have already grabbed.

Check
Identify WordPress sites running Gravity SMTP at version 2.1.4 or earlier, and review web server access logs for requests to the /wp-json/gravitysmtp/v1/tests/mock-data endpoint, which indicate attempted or successful data exposure.
Affected
WordPress sites running Gravity SMTP through 2.1.4 with email integrations configured (CVE-2026-4020); exposed API keys and OAuth tokens let attackers abuse connected email services and map the site for follow-on attacks.
Fix
Update Gravity SMTP to 2.1.5 or later, then assume compromise: rotate all API keys, secrets, and OAuth tokens set in the plugin's email connectors, and block the published attacker IPs.

Splunk Enterprise flaw now exploited, added to CISA must-patch list

A critical Splunk Enterprise flaw disclosed earlier this month is now being exploited in the wild, and CISA has added it to its known-exploited list with a June 21 federal patch deadline. The bug (CVE-2026-20253, rated 9.8) is a missing-authentication issue in a PostgreSQL sidecar service: an unauthenticated, network-reachable attacker can create or truncate arbitrary files on the Splunk host, which can cascade into log corruption, broken monitoring, and remote code execution. Both Splunk and Resecurity have confirmed active exploitation, and a public proof-of-concept and Nuclei template exist. Because Splunk underpins many SOC and SIEM operations, a compromise can blind defenders.

Check
Identify Splunk Enterprise instances on 10.2 before 10.2.4 or 10 before 10.0.7, check whether the PostgreSQL sidecar endpoint is network-reachable, and review logs for path-traversal and unexpected PostgreSQL connections.
Affected
Splunk Enterprise 10.2 versions before 10.2.4 and 10 versions before 10.0.7 (CVE-2026-20253); instances whose PostgreSQL sidecar endpoint is reachable from untrusted networks are at highest risk.
Fix
Patch to Splunk Enterprise 10.2.4 or 10.0.7 immediately, or disable the PostgreSQL sidecar service as a temporary mitigation. Then run forensic triage for file tampering before assuming systems are clean.

Critical Joomla JCE editor flaw actively exploited to run PHP code

A critical flaw in the Joomla Content Editor (JCE), one of the most widely used editor extensions for the Joomla CMS, is being actively exploited to take over websites. The bug (CVE-2026-48907, rated a perfect 10) is an access-control failure that lets an unauthenticated attacker create editor profiles and then upload and run arbitrary PHP code, leading to full server compromise. CISA added it to its known-exploited list and ordered federal agencies to patch by June 19. Working exploit code is public and attacks are automated, so even sites with no public registration are at risk. Patching closes the hole but does not remove anything attackers already planted.

Check
Identify Joomla sites using the JCE extension and confirm the version, then audit for unfamiliar editor profiles, suspicious PHP files in upload directories, new admin accounts, and profile-import requests in logs.
Affected
Joomla websites running JCE versions 1.0.0 through 2.9.99.4 (CVE-2026-48907); public-facing sites are being hit by automated attacks regardless of whether public registration is enabled.
Fix
Update JCE to 2.9.99.5 or later now. Since the update does not clean an already-compromised site, also hunt for web shells and rogue accounts, and rotate site, database, and hosting passwords.

Exploited LiteSpeed cPanel plugin flaw lets hosting users gain root

CISA has added a LiteSpeed cPanel plugin flaw to its known-exploited list and given federal agencies until June 18 to patch. The bug (CVE-2026-54420, rated 8.5) lets a user who already has FTP or web-shell access on a shared hosting server escalate to root by abusing how the plugin follows symbolic links, on servers running CloudLinux or CageFS. On multi-tenant hosting that turns one compromised account into full control of the whole server and every site on it. Namecheap reported it after spotting suspicious activity, and LiteSpeed flagged active exploitation in early June. The fix is LiteSpeed WHM Plugin 5.3.2.1 with cPanel plugin 2.4.8.

Check
Identify shared-hosting servers running the LiteSpeed cPanel plugin on CloudLinux or CageFS, confirm the version, and review logs for unexpected privilege changes or suspicious command activity.
Affected
Shared hosting servers running the LiteSpeed cPanel user-end plugin before 2.4.8 on CloudLinux or CageFS (CVE-2026-54420); any account with FTP or web-shell access can escalate to root.
Fix
Upgrade to LiteSpeed WHM Plugin 5.3.2.1 (cPanel plugin 2.4.8) or later now. If you cannot patch immediately, remove the user-end plugin, then hunt for signs of prior root-level compromise.

Attackers now exploiting three critical FortiSandbox flaws, one with AI-built exploit

Threat-intelligence firm Defused reports that attackers are now exploiting three critical flaws in Fortinet's FortiSandbox, the appliance other Fortinet products rely on to judge whether files are malicious. Two (CVE-2026-39813, a JRPC API path traversal that bypasses authentication, and CVE-2026-39808, an unauthenticated command-injection that runs code as root) were patched in April; the third (CVE-2026-25089) only last week. All are unauthenticated and rated critical. Compromising a sandbox is especially dangerous because attackers can make it wave real malware through as clean. Notably, the exploit for one flaw appears to have been generated with AI and is likely faulty, yet attackers are trying it anyway.

Check
Identify FortiSandbox, FortiSandbox Cloud, and PaaS instances and their versions, confirm whether the web and JRPC API interfaces are reachable from untrusted networks, and review logs for unauthenticated command execution.
Affected
FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS that are unpatched against CVE-2026-39813, CVE-2026-39808, or CVE-2026-25089, especially instances exposed to untrusted networks; all three need no authentication.
Fix
Upgrade FortiSandbox to the fixed releases for all three CVEs immediately, restrict management and API interfaces to trusted networks, and treat any unpatched appliance as potentially compromised pending review.

Cisco patches exploited SD-WAN Manager flaw that gives root access

Cisco has patched a flaw in Catalyst SD-WAN Manager (formerly vManage), the console used to manage thousands of SD-WAN devices, that attackers were already exploiting as a zero-day to gain root. The bug (CVE-2026-20262) stems from weak validation of file uploads in the web interface, letting an authenticated low-privilege remote attacker create or overwrite any file on the system by sending crafted HTTP requests, and from there run commands as root. It affects every deployment type, including on-premises, Cisco-managed cloud, and the FedRAMP government edition, regardless of configuration. It is the latest in a run of exploited Cisco SD-WAN Manager zero-days this year.

Check
Identify Catalyst SD-WAN Manager instances and versions, and before upgrading run the request admin-tech command on each control component to preserve evidence, then review file-upload and web UI logs.
Affected
Cisco Catalyst SD-WAN Manager (formerly vManage) across all deployment types, including on-premises, Cloud-Pro, Cisco-managed cloud, and the FedRAMP government edition (CVE-2026-20262), regardless of device configuration.
Fix
Upgrade to the fixed Catalyst SD-WAN Manager release now, restrict management-interface access to trusted administrators and networks, and audit for unauthorized files or configuration changes pushed to edge devices.

Critical Ivanti Sentry flaw now exploited within a day of disclosure

The critical Ivanti Sentry flaw covered yesterday is now under active attack, with researchers reporting compromised gateways within about 24 hours of the patch and public patch analysis. CVE-2026-10520, rated a perfect 10, is an OS command injection in an internal configuration API that accepts commands from anyone who can reach it over the internet, granting remote code execution as root with no login. A second flaw, CVE-2026-10523, lets attackers create their own admin accounts. With exploitation confirmed and detection tooling public, the time to patch has effectively run out for internet-exposed appliances. Ivanti released fixes earlier this week.

Check
Treat any unpatched, internet-facing Ivanti Sentry as potentially compromised: review appliances for rogue administrator accounts, unexpected root commands, and connections from unfamiliar IPs before and after patching.
Affected
Internet-exposed Ivanti Sentry (formerly MobileIron Sentry) 10.5.1, 10.6.1, 10.7.0 and earlier, now actively exploited via CVE-2026-10520 (root RCE) and CVE-2026-10523 (admin auth bypass).
Fix
Patch to R10.5.2, R10.6.2, or R10.7.1 immediately if not already done, then perform incident response: rebuild compromised appliances, remove rogue accounts, and rotate connected credentials and secrets.