Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: actively-exploited (70 articles)Clear

CISA adds 4-year-old Linux kernel cgroups container-escape CVE-2022-0492 to KEV after active exploitation evidence

CISA has added CVE-2022-0492 to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation. The four-year-old Linux kernel flaw is an improper-authentication issue in the cgroups v1 release_agent feature that can be abused for container escape and privilege escalation to root on the host. It is well known among container-security researchers as a path to breaking out of misconfigured containers lacking AppArmor/SELinux or seccomp restrictions. Its appearance on KEV signals active in-the-wild abuse, likely in cloud and container environments. FCEB agencies must remediate by the BOD 22-01 deadline; all organizations running container workloads on older kernels should patch and verify hardening immediately.

Check
Inventory container hosts running kernels unpatched against CVE-2022-0492. Check for containers running without AppArmor/SELinux or seccomp confinement, which makes the release_agent escape exploitable.
Affected
Linux hosts on older kernels with the cgroups v1 release_agent flaw, especially containers lacking AppArmor/SELinux or seccomp restrictions. Active exploitation now confirmed via CISA KEV listing.
Fix
Patch host kernels. Enforce seccomp and AppArmor/SELinux on all containers. Drop CAP_SYS_ADMIN where unneeded. FCEB agencies must remediate by the CISA KEV deadline.

Critical Windows Netlogon RCE CVE-2026-41089 now exploited - unauthenticated code execution on domain controllers, all Server versions, CCB Belgium warns

The Centre for Cybersecurity Belgium (CCB) has warned that threat actors are now exploiting CVE-2026-41089, a critical Windows Netlogon vulnerability that Microsoft patched during the May 2026 Patch Tuesday. Netlogon is a core Windows Server RPC service that authenticates users and services on domain-based networks. The flaw is a stack-based buffer overflow that lets an unauthenticated attacker send a specially crafted network request to a domain controller and gain remote code execution without signing in or any prior access. It impacts all currently supported Windows Server versions, including the latest release. Because domain controllers are high-value targets, successful exploitation can lead to full domain compromise.

Check
Inventory all domain controllers and confirm the May 2026 Patch Tuesday update (CVE-2026-41089) is applied. Review Netlogon RPC traffic and DC event logs for anomalous unauthenticated requests.
Affected
All currently supported Windows Server versions acting as domain controllers, unpatched against the May 2026 fix. Unauthenticated attackers can gain RCE on a DC, enabling full domain compromise.
Fix
Apply the May 2026 Patch Tuesday update to every domain controller immediately. Restrict Netlogon RPC exposure to trusted networks. Monitor for post-exploitation lateral movement from DCs.

CISA adds Oracle WebLogic Server CVE-2024-21182 to KEV after active exploitation evidence - FCEB patch deadline set

CISA has added CVE-2024-21182, an unspecified vulnerability in Oracle WebLogic Server, to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation. WebLogic is a widely deployed Java EE application server that frequently sits on internet-facing infrastructure, making it a recurring target for initial access and cryptomining campaigns. Under Binding Operational Directive 22-01, Federal Civilian Executive Branch agencies must remediate KEV-listed flaws by the assigned deadline, and CISA urges all organizations to prioritize patching. Oracle addressed the flaw in a prior Critical Patch Update; organizations running unpatched WebLogic instances should apply the relevant CPU and audit for signs of exploitation immediately.

Check
Inventory Oracle WebLogic Server instances, especially internet-facing ones, and confirm the relevant Oracle Critical Patch Update addressing CVE-2024-21182 is applied. Audit logs for exploitation indicators.
Affected
Oracle WebLogic Server instances unpatched against CVE-2024-21182. Internet-facing deployments are at highest risk; WebLogic is a recurring target for initial access and cryptomining.
Fix
Apply the relevant Oracle Critical Patch Update immediately. FCEB agencies must remediate by the CISA KEV deadline. Remove WebLogic admin consoles from public internet exposure.

WP Maps Pro CVE-2026-8732 actively exploited to create unauthenticated admin accounts on WordPress sites - 'temporary access' AJAX endpoint flaw

Hackers are actively exploiting CVE-2026-8732, a critical unauthenticated flaw in the WP Maps Pro WordPress plugin that lets attackers create rogue administrator accounts. The plugin, a premium interactive-map and store-locator tool with over 15,800 sales on Envato Market, is affected in versions 6.1.0 and older. The flaw stems from a 'temporary access' feature meant to let vendor support staff troubleshoot customer sites: the AJAX endpoint was reachable by unauthenticated users and relied only on a nonce exposed in frontend JavaScript. A crafted request creates a new administrator user, generates a passwordless login URL, and sends it to a remote system. Researcher David Brown reported it.

Check
Inventory WordPress sites for the WP Maps Pro plugin and confirm version. Audit the WordPress users table for unexpected administrator accounts created recently. Review AJAX endpoint access logs.
Affected
WP Maps Pro versions 6.1.0 and older on WordPress. The unauthenticated AJAX 'temporary access' endpoint lets anyone create an admin account and receive a passwordless login URL.
Fix
Update WP Maps Pro to the patched version immediately. Remove any unauthorized administrator accounts. Rotate all admin credentials and audit for backdoors, web shells, or plugin/theme tampering.

Palo Alto PAN-OS GlobalProtect authentication bypass CVE-2026-0257 actively exploited since May 17, added to CISA KEV - patch urgently

Palo Alto Networks has confirmed that CVE-2026-0257 (CVSS 7.8), a GlobalProtect authentication-bypass flaw in PAN-OS and Prisma Access, is under active exploitation. The flaw lets attackers bypass authentication and establish an unauthorized VPN connection; it affects firewalls with a GlobalProtect portal or gateway when authentication-override cookies are enabled and a specific certificate configuration exists. Rapid7 identified successful exploitation across numerous customers dating back to May 17, with a second wave on May 21, attributed to the same threat actor; in two cases the attacker received a VPN IP and reached the internal network. CISA added the CVE to its KEV catalog on May 29.

Check
Inventory PAN-OS and Prisma Access firewalls with GlobalProtect portal/gateway configured. Check whether authentication-override cookies are enabled. Review VPN logs for unauthorized sessions since May 17.
Affected
PAN-OS firewalls with GlobalProtect portal or gateway when authentication-override cookies are enabled and a specific certificate configuration exists. Exploitation confirmed across numerous Rapid7 customers since May 17.
Fix
Apply the Palo Alto patch urgently. Temporary mitigation: disable the authentication-override feature or generate a dedicated certificate for it. FCEB agencies must remediate per CISA KEV deadline.

Attackers drive LLM agent for post-exploitation after Marimo CVE-2026-39987 RCE - AWS Secrets Manager to PostgreSQL exfil in minutes

Sysdig has documented a real-world intrusion in which a threat actor used an LLM agent to drive post-exploitation after compromising an internet-reachable Marimo notebook via CVE-2026-39987, a pre-authentication RCE affecting all Marimo versions up to 0.20.4 (fixed in 0.23.0). The attacker extracted two cloud credentials from the host, replayed them through a fanned-out egress pool to pull an SSH private key from AWS Secrets Manager, then used it to open eight short SSH sessions against a downstream bastion. The bastion phase exfiltrated the full schema and contents of an internal PostgreSQL database in under two minutes. The May 10 incident shows attackers operationalizing AI agents for hands-on-keyboard work.

Check
Inventory Marimo notebook deployments and confirm version is 0.23.0 or later. Check whether any are internet-reachable. Audit AWS Secrets Manager access logs and bastion SSH sessions since early May.
Affected
All Marimo versions up to and including 0.20.4 (pre-auth RCE, fixed in 0.23.0). Internet-reachable notebooks with access to cloud credentials and SSH keys are at highest risk.
Fix
Upgrade Marimo to 0.23.0+. Remove notebooks from public internet exposure. Rotate cloud credentials and SSH keys reachable from compromised hosts. Tighten Secrets Manager IAM scoping and add anomaly alerts.

FortiClient EMS CVE-2026-35616 actively exploited to deploy EKZ infostealer - disguised as endpoint update via VPN scripting

Arctic Wolf has observed active exploitation of CVE-2026-35616, an authentication-bypass flaw in FortiClient Enterprise Management Server (EMS), to deliver an undocumented credential stealer called EKZ. Attackers abuse the endpoint APIs to perform administrative actions without authentication, then modify EMS configuration and VPN policies to inject malicious scripts. Seconds after endpoints establish an IPsec tunnel to a Fortinet-managed gateway, EKZ is pushed disguised as an endpoint update via VPN scripting workflows. Fortinet released emergency hotfixes for versions 7.4.5 and 7.4.6 in early April and CISA ordered federal agencies to patch the same week; Shadowserver tracked 2,000 internet-exposed EMS instances at the time.

Check
Inventory FortiClient EMS deployments and confirm patch level. Search for unauthorized EMS configuration or VPN policy changes since early April. Look for EKZ stealer behavior on endpoints.
Affected
FortiClient EMS versions before the 7.4.5 and 7.4.6 hotfixes. Internet-exposed instances are at highest risk; Shadowserver counted 2,000 exposed in April when CISA mandated federal patching.
Fix
Apply the Fortinet hotfixes. Audit EMS admin actions and VPN policy modifications since April. Rotate credentials and certificates that EMS managed. Apply Arctic Wolf EKZ IoCs.

Microsoft denounces uncoordinated zero-day disclosures after Chaotic Eclipse (Nightmare Eclipse) drops 6 CVEs - GitHub and GitLab accounts removed

Microsoft has come out strongly against uncoordinated zero-day disclosures after researcher Chaotic Eclipse (also Nightmare-Eclipse) dropped technical details of six Windows zero-days over the past month, citing a breakdown in Microsoft's disclosure process. The CVEs include BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), YellowKey (CVE-2026-45585), GreenPlasma, and MiniPlasma; BlueHammer, RedSun, and UnDefend are now under active exploitation. GitHub removed the researcher's account; a GitLab re-upload account was also blocked. Microsoft is urging coordinated vulnerability disclosure but the researcher publicly disputes Microsoft's responsiveness, citing months of waiting for fixes. The incident highlights ongoing friction between solo researchers and large vendor PSIRTs.

Check
Apply the Microsoft patches for BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), and YellowKey (CVE-2026-45585) immediately. Monitor for further leaked PoC code.
Affected
Windows endpoints unpatched against the six Nightmare Eclipse zero-days. Three (BlueHammer, RedSun, UnDefend) are confirmed under active exploitation. GreenPlasma and MiniPlasma also have public details.
Fix
Patch all six CVEs via current Windows updates. Block known exploit-PoC mirrors at egress. Watch GitHub/GitLab for re-uploaded code and add the corresponding hashes to detection rules.

CISA adds three to KEV: TanStack CVE-2026-45321 and Nx Console CVE-2026-48027 (TeamPCP) plus Daemon Tools Lite CVE-2026-8398

CISA has added three vulnerabilities to its Known Exploited Vulnerabilities catalog based on active-exploitation evidence. Two formally recognize the TeamPCP supply-chain wave that dominated mid-May: CVE-2026-45321 (TanStack) and CVE-2026-48027 (Nx Console embedded malicious code), the latter tied to the trojanized VS Code extension that led to GitHub's own 3,800-repo internal breach. The third, CVE-2026-8398, is an embedded-malicious-code flaw in the Daemon Tools Lite disc-imaging utility. FCEB agencies must remediate all three by the BOD 22-01 deadline; CISA urges all organizations to prioritize them. The additions confirm the supply-chain compromises moved from disclosure to documented in-the-wild exploitation.

Check
Confirm TanStack (CVE-2026-45321) and Nx Console (CVE-2026-48027) remediation from the mid-May supply-chain wave is complete. Inventory Daemon Tools Lite installs for CVE-2026-8398.
Affected
Organizations exposed to the TeamPCP supply-chain compromises (TanStack, Nx Console) and any endpoint running a vulnerable Daemon Tools Lite disc-imaging build. Federal agencies bound by BOD 22-01.
Fix
Remediate all three by CISA's KEV deadline. Verify Nx Console is 18.100.0+ and TanStack dependencies are clean. Remove or update Daemon Tools Lite. Rotate credentials from the supply-chain incidents.

KnowledgeDeliver LMS zero-day CVE-2026-5426 deploys Godzilla web shell via ViewState deserialization - shared hardcoded ASP.NET machine keys across customers

Mandiant has disclosed that attackers exploited a zero-day in the KnowledgeDeliver learning management system (CVE-2026-5426) to deploy the Godzilla in-memory web shell and a custom-encrypted Cobalt Strike beacon. The flaw is a deserialization issue tied to identical pre-shared ASP.NET machine keys distributed in the vendor's default web.config across all customer deployments installed before February 24, 2026. With the shared machineKey, an attacker forges signed ViewState payloads and achieves unauthenticated RCE at the OS level. The threat actor escalated control to modify the platform's JavaScript files, prompting users to install a fake 'security authentication plugin' that delivered the Cobalt Strike payload.

Check
Inventory KnowledgeDeliver LMS installations and the deployment date. Check web.config for hardcoded machineKey values. Search IIS logs for unusual ViewState payloads since late 2025.
Affected
All KnowledgeDeliver LMS installations deployed before February 24, 2026. The hardcoded ASP.NET machineKey is shared across all customers, enabling forged ViewState attacks for unauthenticated RCE.
Fix
Rotate machineKey to unique per-deployment values immediately. Patch to the latest KnowledgeDeliver release. Hunt for Godzilla/BlueBeam in-memory web shells and Cobalt Strike beacons across IIS application pools.