Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: privilege-escalation (31 articles)Clear

Bad Epoll Linux kernel flaw lets any local user gain root, including on Android

A newly disclosed Linux kernel vulnerability called Bad Epoll lets an ordinary user with no special privileges take full control of a machine as root, and it affects Linux desktops, servers, and Android. Tracked as CVE-2026-46242, the flaw is a use-after-free in epoll, a core Linux feature for watching many files or connections at once that programs and browsers rely on and cannot simply turn off. Two parts of the kernel try to free the same object at once, letting an attacker corrupt kernel memory and climb to root. It is a race-condition bug, harder to exploit than recent deterministic Linux flaws, but a working exploit exists and a fix is available.

Check
Identify Linux servers, workstations, and Android devices in your environment and check their kernel versions against the Bad Epoll fix, prioritizing multi-user systems and anything where untrusted users can run code.
Affected
Linux desktops, servers, and Android devices on kernels without the Bad Epoll fix (CVE-2026-46242); any local user, or code already running with low privileges, can exploit the flaw to gain root.
Fix
Apply the kernel updates that fix Bad Epoll as they reach your distributions and Android devices; there is no workaround, since epoll cannot be disabled, so patching is the only real mitigation.

Windows Defender BlueHammer flaw now used by ransomware gangs for SYSTEM access

CISA has updated its Known Exploited Vulnerabilities catalog to warn that ransomware gangs are now exploiting BlueHammer, a Microsoft Defender privilege-escalation flaw. The bug (CVE-2026-33825) lets a local attacker who already has a foothold escalate to SYSTEM by abusing Defender's file-remediation logic, giving them access to password hashes and the control needed to disable defenses and prepare systems for encryption. It was leaked with proof-of-concept code by a researcher in early April as a protest over Microsoft's disclosure process, exploited as a zero-day, then patched on April 14. It cannot be used for remote compromise on its own, but it strengthens attackers after initial access.

Check
Confirm the April 2026 Microsoft Defender update is applied across all Windows systems, and review endpoint logs for local privilege escalation, suspicious local-account access, and attempts to dump or read password hashes.
Affected
Windows systems missing the April 2026 Defender patch (CVE-2026-33825); after gaining initial access, attackers use the flaw to reach SYSTEM privileges, dump password hashes, and disable defenses ahead of ransomware.
Fix
Ensure the Microsoft Defender update is installed everywhere, prioritize systems exposed to phishing or stolen-credential access, and monitor for privilege-escalation behavior, since this flaw is now part of active ransomware playbooks.

New Linux kernel flaws give local users root by poisoning cached binaries

Researchers disclosed closely related Linux kernel flaws in the traffic-control subsystem that let an unprivileged local user gain root, and working exploits appeared within a day of disclosure. The main bug, nicknamed pedit COW (CVE-2026-46331), is an out-of-bounds write in the packet-editing action that corrupts shared page-cache memory; a related variant tracked as DirtyClone (CVE-2026-43503) was demonstrated by JFrog. Rather than touching files on disk, the exploit poisons the cached copy of a setuid root program like /bin/su in memory and runs the altered version as root, so file-integrity checks still pass. Exploitation needs the act_pedit module loadable and unprivileged user namespaces enabled, both common defaults on RHEL and Debian.

Check
Identify Linux systems running affected kernels, and check whether unprivileged user namespaces are enabled and whether the act_pedit traffic-control module can be loaded, the two conditions these exploits require.
Affected
Linux systems on affected kernels (CVE-2026-46331 and CVE-2026-43503), including default RHEL and Debian configurations, where any local user can escalate to root despite file-integrity checks passing.
Fix
Apply kernel updates from your distribution as they ship, and as interim hardening, disable unprivileged user namespaces and block loading of the act_pedit module where it is not needed.

macOS trust-caching gap lets standard users silently disable EDR and MDM

Researchers at XM Cyber detailed a macOS technique that lets an attacker with only standard user privileges disable enterprise security tools and call privileged functions, with no admin credentials, kernel exploit, or alerts. It abuses how macOS caches an application's code signature: once cached, the system keeps trusting the app even after an attacker modifies its components, letting a normal user impersonate trusted code and reach privileged XPC services by injecting into interface files. The team showed it disabling CrowdStrike Falcon and Kandji's MDM agent. CrowdStrike and Kandji have fixed their products, with Kandji assigning CVE-2026-39118, but XM Cyber frames the root cause as a flaw in macOS itself.

Check
Confirm that macOS endpoint security and management agents, such as EDR and MDM, are updated to versions that address this technique, and identify any third-party macOS apps exposing privileged XPC services.
Affected
Organizations relying on macOS endpoint protection and MDM; any app exposing privileged XPC services with injectable interface files can be abused by a standard user to escalate and disable defenses.
Fix
Update CrowdStrike, Kandji, and other macOS security agents to patched versions, monitor for tampering with security tools, and apply Apple updates as they address the underlying trust-caching weakness.

Cordyceps CI/CD weakness lets anonymous pull requests hijack build pipelines

Researchers at Novee disclosed Cordyceps, a systemic class of weaknesses in CI/CD pipelines, especially GitHub Actions workflows, that lets an attacker with nothing more than a free account hijack a project's build and release process. The danger is not a single bug but how workflows chain together: an untrusted pull request or comment feeds a low-privilege workflow whose output flows into a higher-privilege one, ending in stolen credentials, poisoned artifacts, or malicious releases. A scan of 30,000 repositories found over 300 fully exploitable, with fixes confirmed by Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation. Standard scanners miss it because they check files in isolation.

Check
Audit your GitHub Actions and other CI/CD workflows for steps that pass untrusted pull-request or comment data into higher-privilege jobs, and inventory where workflow tokens grant cloud or registry access.
Affected
Organizations whose CI/CD pipelines run workflows triggered by untrusted pull requests or comments, particularly GitHub Actions setups where low-privilege and high-privilege jobs share data and tokens across trust boundaries.
Fix
Treat workflow files as security-critical code, apply least privilege to workflow tokens, isolate untrusted pull-request triggers, sanitize data crossing between jobs, and review CI/CD changes generated by AI coding tools.

Exploited LiteSpeed cPanel plugin flaw lets hosting users gain root

CISA has added a LiteSpeed cPanel plugin flaw to its known-exploited list and given federal agencies until June 18 to patch. The bug (CVE-2026-54420, rated 8.5) lets a user who already has FTP or web-shell access on a shared hosting server escalate to root by abusing how the plugin follows symbolic links, on servers running CloudLinux or CageFS. On multi-tenant hosting that turns one compromised account into full control of the whole server and every site on it. Namecheap reported it after spotting suspicious activity, and LiteSpeed flagged active exploitation in early June. The fix is LiteSpeed WHM Plugin 5.3.2.1 with cPanel plugin 2.4.8.

Check
Identify shared-hosting servers running the LiteSpeed cPanel plugin on CloudLinux or CageFS, confirm the version, and review logs for unexpected privilege changes or suspicious command activity.
Affected
Shared hosting servers running the LiteSpeed cPanel user-end plugin before 2.4.8 on CloudLinux or CageFS (CVE-2026-54420); any account with FTP or web-shell access can escalate to root.
Fix
Upgrade to LiteSpeed WHM Plugin 5.3.2.1 (cPanel plugin 2.4.8) or later now. If you cannot patch immediately, remove the user-end plugin, then hunt for signs of prior root-level compromise.

Unpatched Defender zero-day RoguePlanet gives SYSTEM on current Windows

Hours after Patch Tuesday, the researcher known as Nightmare Eclipse published a working exploit, dubbed RoguePlanet, for an unpatched Microsoft Defender flaw that opens a command prompt with full SYSTEM privileges on fully updated Windows 10 and 11. The bug is a race condition, so the exploit is hit or miss, but the researcher reports a 100 percent success rate on some machines. They posted the proof-of-concept on a self-hosted Git server after Microsoft had earlier taken down their GitHub and GitLab repositories. It is the latest in a string of Windows zero-days (BlueHammer, RedSun, YellowKey, GreenPlasma) the researcher has released in protest of Microsoft's disclosure practices.

Check
Confirm Microsoft Defender real-time and tamper protection are enabled and current on Windows 10 and 11 endpoints, and watch for unexpected SYSTEM-level command shells spawned from Defender processes.
Affected
Fully patched Windows 10 and Windows 11 systems, including current and Canary builds, running Microsoft Defender; a public proof-of-concept exists and no fix is available yet.
Fix
No patch exists yet; watch for a Microsoft advisory and apply it when released. Meanwhile, rely on EDR behavioral detection and least-privilege controls to limit privilege-escalation impact.

Public exploit lands for one-character Linux kernel root flaw

A working exploit is now public for a Linux kernel bug that lets an ordinary local user become root and break out of containers. The flaw (CVE-2026-23111) lives in nf_tables, the kernel's packet-filtering code, and came down to a single inverted character that the upstream fix removed in one line back in February. It is reachable on common setups that have nf_tables plus unprivileged user namespaces enabled, both default on most desktops and many servers. Ubuntu rates it 7.8. There is no remote path on its own, but Exodus Intelligence published a full exploit walkthrough on June 8, making weaponization easy.

Check
Check the running kernel version on Linux hosts against your distribution's February 2026 or later patch, and review whether unprivileged user namespaces and nf_tables are enabled.
Affected
Linux systems on a kernel built before the February 5, 2026 nf_tables fix with both nf_tables and unprivileged user namespaces enabled (CVE-2026-23111); multi-tenant and container hosts most at risk.
Fix
Install the patched kernel package from your distribution and reboot. As a mitigation, restrict unprivileged user namespaces, for example setting kernel.unprivileged_userns_clone to 0 where supported.

Cisco SD-WAN Manager zero-day exploited to gain root, no patch yet

Cisco has warned of an actively exploited, unpatched zero-day in Cisco Catalyst SD-WAN Manager (CVE-2026-20245) that enables root privilege escalation across all deployment types, including on-prem, Cloud, Managed, and FedRAMP Government. The flaw stems from insufficient validation of user-supplied input: an attacker who uploads a crafted file can perform command injection and run arbitrary commands as root. Exploitation requires netadmin privileges - obtained via valid credentials or by chaining CVE-2026-20182 or CVE-2026-20127. Mandiant reported the activity to Cisco's PSIRT in June. Cisco has observed limited cases where exploitation pushed configuration changes to edge devices, and published IoCs pointing to suspicious tenant-list uploads in scripts.log.

Check
Inventory Cisco Catalyst SD-WAN Manager instances (all deployment types). Check /var/log/scripts.log for suspicious tenant-list uploads per Cisco's IoCs. Verify netadmin accounts and confirm CVE-2026-20182/20127 are patched.
Affected
All Cisco Catalyst SD-WAN Manager deployments (on-prem, Cloud, Managed, FedRAMP). Root-level command injection via crafted file upload; requires netadmin privileges, obtainable by chaining CVE-2026-20182 or CVE-2026-20127. No patch yet.
Fix
No patch available. Restrict netadmin access, enforce strong credentials and MFA, and patch the chainable CVE-2026-20182/20127. Apply Cisco IoCs and monitor scripts.log and edge-device config changes.

Critical Kirki WordPress flaw CVE-2026-8206 exploited to hijack admin accounts via password-reset redirect - 500,000 installs, 222+ attacks blocked

Hackers are exploiting CVE-2026-8206, a critical privilege-escalation flaw in the Kirki - Freeform Page Builder WordPress plugin, to take over any account including administrators. Defiant's Wordfence blocked over 222 attempts against customers in 24 hours. The plugin is active on more than 500,000 sites; the bug was introduced in version 6.0.0 and affects up to 6.0.6 (nearly 40% of the userbase). It stems from a custom REST password-reset endpoint that accepts an arbitrary email: when a username is supplied, the plugin sends a valid reset link to the attacker-controlled address instead of the owner's. The vendor fixed it in 6.0.7 on May 18; admins should upgrade or disable immediately.

Check
Inventory WordPress sites for the Kirki plugin and confirm version. Audit user accounts and password-reset logs for reset links sent to unfamiliar email addresses since version 6.0.0 deployment.
Affected
Kirki - Freeform Page Builder versions 6.0.0 through 6.0.6 (nearly 40% of 500,000+ installs). The REST password-reset endpoint sends valid reset links to attacker-supplied email addresses for any user.
Fix
Upgrade Kirki to 6.0.7 or disable the plugin immediately. Remove unauthorized admin accounts, rotate all admin credentials, and audit for web shells, malicious plugins, and backdoors.