Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: privilege-escalation (31 articles)Clear

WP Maps Pro CVE-2026-8732 actively exploited to create unauthenticated admin accounts on WordPress sites - 'temporary access' AJAX endpoint flaw

Hackers are actively exploiting CVE-2026-8732, a critical unauthenticated flaw in the WP Maps Pro WordPress plugin that lets attackers create rogue administrator accounts. The plugin, a premium interactive-map and store-locator tool with over 15,800 sales on Envato Market, is affected in versions 6.1.0 and older. The flaw stems from a 'temporary access' feature meant to let vendor support staff troubleshoot customer sites: the AJAX endpoint was reachable by unauthenticated users and relied only on a nonce exposed in frontend JavaScript. A crafted request creates a new administrator user, generates a passwordless login URL, and sends it to a remote system. Researcher David Brown reported it.

Check
Inventory WordPress sites for the WP Maps Pro plugin and confirm version. Audit the WordPress users table for unexpected administrator accounts created recently. Review AJAX endpoint access logs.
Affected
WP Maps Pro versions 6.1.0 and older on WordPress. The unauthenticated AJAX 'temporary access' endpoint lets anyone create an admin account and receive a passwordless login URL.
Fix
Update WP Maps Pro to the patched version immediately. Remove any unauthorized administrator accounts. Rotate all admin credentials and audit for backdoors, web shells, or plugin/theme tampering.

CIFSwitch Linux LPE: forged cifs.spnego key descriptions trick cifs.upcall into running as root - cifs-utils 6.14+ across multiple distros

SpaceX security engineer Asim Manizada has disclosed CIFSwitch, a Linux kernel local privilege escalation in the CIFS subsystem that lets an unprivileged user forge cifs.spnego key descriptions and trick the kernel's key-request mechanism into running cifs.upcall as root. CIFS (Common Internet File System) mounts and accesses files across a network; when a share uses Kerberos, the kernel asks the user-space cifs-utils helper to authenticate. The CIFS subsystem fails to verify that cifs.spnego key requests originate from the kernel's CIFS client, so a local attacker can supply a forged key and gain root. It affects cifs-utils 6.14 and higher, plus some older variants, across multiple distributions.

Check
Inventory Linux hosts with cifs-utils 6.14+ that mount Kerberos-authenticated CIFS shares. Identify multi-user systems where untrusted local users have shell access. Check distribution advisories for patched cifs-utils.
Affected
Linux distributions shipping cifs-utils 6.14 and higher (some older variants also affected) where the kernel CIFS subsystem fails to verify cifs.spnego key-request origin. Local shell access required.
Fix
Apply distribution kernel and cifs-utils updates as they ship. Where patches lag, restrict local user access on systems mounting Kerberos CIFS shares. Monitor request-key and cifs.upcall invocations.

LiteSpeed cPanel Plugin CVE-2026-48172 actively exploited - root-level script execution, update to 2.4.7 / WHM 5.3.1.0

LiteSpeed Technologies has patched CVE-2026-48172, a privilege-escalation vulnerability in its cPanel plugin that lets a low-privileged cPanel user trick the plugin into running scripts as root. The flaw has been observed under active exploitation. The fix lands in cPanel plugin v2.4.7 bundled with WHM plugin 5.3.1.0. Operators who cannot patch immediately are advised to uninstall the user-end plugin via /usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall. This follows last month's actively exploited CVE-2026-41940 (CVSS 9.8) in cPanel itself, which threat actors used to drop Mirai variants and the Sorry ransomware strain. cPanel hosting providers and resellers are the primary targets.

Check
Inventory cPanel hosts running the LiteSpeed cPanel plugin. Confirm WHM plugin version and bundled cPanel plugin version. Search /var/log/messages for unexpected lscmctl invocations.
Affected
All LiteSpeed cPanel plugin versions before 2.4.7 (bundled with WHM plugin 5.3.1.0). Hosting providers and shared-hosting tenants where low-privileged cPanel users can run scripts are at highest risk.
Fix
Upgrade to LiteSpeed WHM plugin 5.3.1.0 (with bundled cPanel plugin 2.4.7) immediately. Temporary mitigation: uninstall the user-end plugin via /usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall.

Microsoft Defender zero-days CVE-2026-41091 (SYSTEM LPE) and CVE-2026-45498 (DoS) exploited in attacks, added to CISA KEV

Microsoft has rolled out fixes for two Defender vulnerabilities that have been exploited in zero-day attacks. CVE-2026-41091 is a link-following local privilege escalation in Microsoft Malware Protection Engine 1.1.26030.3008 and earlier that lets attackers gain SYSTEM. CVE-2026-45498 affects Defender Antimalware Platform 4.18.26030.3011 and earlier and triggers denial-of-service. Updates land automatically in Malware Protection Engine 1.1.26040.8 and Antimalware Platform 4.18.26040.7. CISA has added both to its KEV catalog and ordered FCEB agencies to patch within two weeks, by June 3. The same KEV update also added five legacy 2008-2010 Internet Explorer, DirectX, Acrobat, and Windows bugs that CISA suggests are seeing fresh exploitation.

Check
Open Windows Security > Virus & threat protection > Protection Updates and click Check for updates. Verify Antimalware Platform >= 4.18.26040.7 and Malware Protection Engine >= 1.1.26040.8.
Affected
Windows endpoints running Microsoft Malware Protection Engine 1.1.26030.3008 and earlier, or Defender Antimalware Platform 4.18.26030.3011 and earlier. Default config auto-updates, but air-gapped or restricted networks may lag.
Fix
Confirm Defender definitions and platform updates auto-install. FCEB agencies must patch by June 3 per CISA BOD 22-01. Investigate any KEV-listed legacy CVE-2008-4250/2009-1537/2009-3459/2010-0249/2010-0806 hits.

Qualys discloses 9-year-old Linux kernel ptrace flaw CVE-2026-46333 (ssh-keysign-pwn) - root via chage, ssh-keysign, pkexec, accounts-daemon

Qualys has disclosed a 9-year-old privilege management flaw in the Linux kernel that lets an unprivileged local user disclose /etc/shadow and host SSH private keys, then chain four different post-disclosure exploits (chage, ssh-keysign, pkexec, and accounts-daemon) to execute commands as root. The bug is tracked as CVE-2026-46333 and was introduced in November 2016 in the kernel's __ptrace_may_access() function. It affects default installs of Debian, Fedora, and Ubuntu. A proof-of-concept has been released and a public kernel commit landed. Qualys recommends rotating SSH host keys on any host that allowed untrusted local users before patching.

Check
Run uname -r to inventory kernels. Identify hosts that allow untrusted local users (shared dev boxes, multi-tenant CI runners, jump hosts). Search /var/log/auth.log for unusual chage/ssh-keysign/pkexec/accounts-daemon invocations.
Affected
Default installs of Debian, Fedora, and Ubuntu running Linux kernels that include the November 2016 __ptrace_may_access() change. Servers that allow local user shells are at highest risk.
Fix
Apply the latest distribution kernel updates. Temporary workaround: set kernel.yama.ptrace_scope = 2. Rotate SSH host keys and any credentials held by setuid processes on hosts that allowed untrusted local users.

PinTheft Arch Linux LPE: RDS zerocopy double-free turned into io_uring page-cache overwrite, PoC released

The V12 security team has released a working PoC for PinTheft, a Linux kernel local privilege escalation tied to a double-free in the RDS (Reliable Datagram Sockets) zerocopy send path that can be turned into a page-cache overwrite through io_uring fixed buffers. The bug was patched earlier in May but has no assigned CVE yet. Exploitation requires the RDS module to be loaded - default only on Arch Linux among the major distributions - plus io_uring enabled and a readable SUID-root binary. PinTheft joins DirtyDecrypt, Dirty Frag, Fragnesia, and Copy Fail in a recent run of Linux LPE disclosures.

Check
Inventory Arch Linux hosts with `pacman -Q linux`. Check if RDS is loaded via `lsmod | grep rds`. Look for unexpected root shells from low-privilege users in audit logs since 2026-05-20.
Affected
Linux kernels with the RDS module enabled (default only on Arch Linux among common distros) plus io_uring enabled and a readable SUID-root binary. PoC tested on x86_64.
Fix
Apply the latest Arch Linux kernel update. Temporary mitigation: `rmmod rds_tcp rds` and blacklist via /etc/modprobe.d/pintheft.conf. Audit io_uring usage and consider raising its sysctl restrictions.

DirtyDecrypt Linux kernel root escalation PoC released - rxgk pagecache write affects Fedora, Arch, openSUSE Tumbleweed

A working proof-of-concept exploit for a recently patched Linux kernel local privilege escalation is now public. Researchers at V12 found the bug in May and were told it had already been fixed in the mainline kernel on April 25, matching CVE-2026-31635 per Tharros analyst Will Dormann. The flaw is a missing copy-on-write check in rxgk_decrypt_skb, the kernel routine that decrypts RxGK packets for the Andrew File System. Exploitation requires CONFIG_RXGK, limiting impact to leading-edge distros like Fedora, Arch Linux, and openSUSE Tumbleweed. DirtyDecrypt joins Dirty Frag, Fragnesia, and Copy Fail in a recent wave of Linux LPE disclosures.

Check
Run 'uname -r' across your Linux fleet, flag hosts on Fedora, Arch, openSUSE Tumbleweed, or any mainline kernel with CONFIG_RXGK. Search audit logs for unexpected setuid execs since 2026-04-25.
Affected
Linux kernels built with CONFIG_RXGK enabled, primarily Fedora, Arch Linux, and openSUSE Tumbleweed. Distributions on long-term stable kernels (RHEL, Debian stable, Ubuntu LTS) are not typically affected.
Fix
Apply your distribution's latest kernel updates. Temporary mitigation (also breaks AFS and IPsec VPNs): blacklist esp4, esp6, and rxrpc via /etc/modprobe.d/, unload with rmmod, drop the page cache.

OpenClaw 'Claw Chain': four sandbox-escape and priv-esc flaws on ~180K public AI agent instances (patched 2026.4.22)

Researchers at Cyera have disclosed a chain of four vulnerabilities in OpenClaw, an open-source autonomous AI agent platform that Nvidia and Tencent have built enterprise products on top of. The chain - CVE-2026-44112 (CVSS 9.6), CVE-2026-44113, CVE-2026-44115, and CVE-2026-44118 - lets an attacker who can influence the agent's input (through a malicious plugin, prompt injection, or compromised tool output) break out of the OpenShell sandbox, read environment-stored API keys, elevate to owner-level privileges, and write persistent backdoors. Each step looks like normal agent behavior. Shodan and Zoomeye between them counted 65,000 to 180,000 public OpenClaw instances earlier in May. All flaws are fixed in OpenClaw 2026.4.22.

Check
Inventory OpenClaw, NemoClaw, and ClawPro deployments. Check installed version via --version or /api/version. Search agent logs for unexpected symlink creation or env-var reads inside heredocs.
Affected
All OpenClaw releases prior to version 2026.4.22 (April 23, 2026). Nvidia NemoClaw and Tencent ClawPro builds derived from older OpenClaw cores inherit the same flaws unless rebased.
Fix
Update to OpenClaw 2026.4.22 or later. Until then, scope the OpenShell sandbox to a read-only filesystem, strip secrets from the agent's environment, and route egress through a logging proxy.

MiniPlasma Windows zero-day: working PoC gives SYSTEM on fully patched Windows 11 via cldflt.sys driver

A researcher who goes by Chaotic Eclipse has dropped working proof-of-concept code on GitHub for a Windows local privilege escalation that gives SYSTEM access on fully patched Windows 11 Pro and Windows Server 2025. The bug lives in the Cloud Filter driver cldflt.sys and is, the researcher says, the same flaw Google Project Zero reported to Microsoft as CVE-2020-17103 in 2020, which Microsoft said it fixed in December 2020. The original Google PoC works unmodified. May 2026 Patch Tuesday updates do not stop it. The same researcher has dropped several other Windows zero-days in recent weeks, all of which were quickly seen in real attacks.

Check
Inventory Windows 11 and Server 2022/2025 endpoints. Hunt SIEM for unexpected SYSTEM-context cmd.exe spawns or new processes launched from standard user sessions touching cldflt.sys.
Affected
Microsoft Windows 11 Pro and Windows Server 2025 with May 2026 Patch Tuesday updates applied. The researcher claims all Windows versions are likely affected.
Fix
No patch available. Block execution of the public MiniPlasma binary by hash in EDR. Tighten local user privileges and restrict admin sessions on multi-user endpoints until Microsoft ships a fix.

Azure Backup for AKS lets low-privileged Backup Contributors gain cluster-admin, Microsoft blocked CVE (VU#284781)

Microsoft has refused to issue a CVE for what an outside researcher and the CERT Coordination Center both describe as a privilege escalation in Azure Backup for Azure Kubernetes Service. The flaw lets a user holding only the low-privileged 'Backup Contributor' Azure role gain cluster-admin on AKS clusters, which Microsoft dismissed by saying the attacker 'already held administrator access.' CERT/CC validated the bug and tracked it as VU#284781. The researcher says Microsoft also tried to get MITRE to reject the submission as 'AI-generated content,' then quietly added new permission checks, suggesting a silent patch even as Microsoft says 'no product changes were made.'

Check
Audit Azure RBAC assignments on subscriptions hosting AKS clusters. Identify any users holding the 'Backup Contributor' role and verify they were intended to hold cluster-admin rights.
Affected
Azure Kubernetes Service clusters with Azure Backup for AKS enabled, where the 'Backup Contributor' role has been assigned. No CVE issued; CERT tracking ID VU#284781.
Fix
Restrict the 'Backup Contributor' role to trusted operators only. No vendor patch acknowledged; rely on least-privilege RBAC until Microsoft confirms a fix. Monitor MSRC for updates.