Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7

All cPanel and WHM versions had a critical authentication bypass that attackers may have been exploiting since February - emergency patches now released (CVE-2026-41940)

cPanel disclosed a critical authentication bypass on Monday affecting every cPanel and WHM version - including end-of-life builds. CVSS 9.8. The bug let unauthenticated attackers log in as administrators by abusing how the cPanel session daemon writes session files during login. Hosting providers including Namecheap, KnownHost, hosting.com, HostPapa, and InMotion took cPanel and WHM offline globally for hours while patches deployed. Researchers at watchTowr published a working proof-of-concept on April 29. KnownHost reports possible targeted exploitation as early as February 23, 2026 - more than two months before disclosure.

Check
If you run any cPanel or WHM server, confirm it's patched to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, or 11.136.0.5 today.
Affected
All cPanel and WHM versions before the April 28 emergency patch, plus end-of-life versions. CVE-2026-41940, CVSS 9.8. Successful exploitation grants root-equivalent access on the server, exposing every hosted website, database, email account, and customer data. KnownHost reports possible exploitation since February 23, 2026.
Fix
Run '/scripts/upcp --force' to pull the latest patched cPanel build immediately. Audit authentication logs for unusual successful logins between February 23 and April 28 - any login from an unfamiliar IP during that window may indicate prior compromise. Block cPanel ports (2082-2087, 2095-2096, 2077-2078) at the firewall to non-trusted IP ranges.

Two Windows Defender zero-days that disable the antivirus are still unpatched two weeks after researcher leaked them - attackers now chaining them with custom malware

Update on the Windows Defender zero-day situation: Huntress now confirms attackers are chaining the three flaws leaked April 3 by a researcher called 'Chaotic Eclipse' to deploy a custom tunneling agent named 'BeigeBurrow' on victim systems. Microsoft patched one of the three (BlueHammer, CVE-2026-33825) on April 14, but the other two are still unpatched two weeks later: RedSun lets attackers gain SYSTEM privileges even on patched machines, and UnDefend stops Defender from receiving signature updates - effectively turning off the antivirus. CISA gave federal agencies until May 6 to deploy the BlueHammer patch.

Check
Verify every Windows endpoint has the April 14 patch installed, and treat any host where Defender hasn't received signature updates in over 48 hours as suspicious.
Affected
Windows 10, Windows 11, and Windows Server 2019 and later with Defender enabled. The April 14 patch closes only BlueHammer (CVE-2026-33825); RedSun (privilege escalation, no patch) and UnDefend (Defender update blocker, no patch) still affect every Windows endpoint regardless of patch status. Hands-on-keyboard exploitation is now confirmed in the wild.
Fix
Deploy the April 14 patch to every Windows endpoint and verify with MDM rather than trusting WSUS compliance numbers. Alert when a host's Defender signatures fall more than 48 hours out of date - that's the UnDefend tell. Watch for the enumeration commands Huntress documented on workstations: 'whoami /priv', 'cmdkey /list', 'net group' are unusual outside admin tooling. Block known BeigeBurrow command-and-control IPs.

CISA adds four more flaws to KEV - SimpleHelp authorization bypass (CVSS 9.9), Samsung MagicINFO, and the D-Link DIR-823X bug already powering fresh Mirai botnets

CISA added four flaws to KEV on April 24 with a May 8 federal deadline. The headline is CVE-2024-57726 (CVSS 9.9), a missing authorization in SimpleHelp RMM that lets a low-privileged technician mint API keys above their role and escalate to server admin; companion CVE-2024-57728 (CVSS 7.2) chains a path traversal for RCE. SimpleHelp featured in DragonForce and Akira ransomware campaigns last year. CVE-2024-7399 (CVSS 8.8) is a Samsung MagicINFO 9 path traversal with a public PoC since 2024. The fourth, CVE-2025-29635, is the D-Link DIR-823X bug we covered last week.

Check
Inventory exposed instances of SimpleHelp, Samsung MagicINFO 9 Server, and any remaining D-Link DIR-823X routers. SimpleHelp is the priority - it sits inside the IT trust boundary.
Affected
SimpleHelp before 5.5.8 against CVE-2024-57726 and CVE-2024-57728 (chained to RCE as the SimpleHelp server user). Samsung MagicINFO 9 Server unpatched against CVE-2024-7399. D-Link DIR-823X firmware 240126 and 24082 against CVE-2025-29635 - the product line is discontinued and no vendor patch exists.
Fix
Upgrade SimpleHelp to 5.5.8+ and rotate every API key issued by every technician account, since unprivileged techs could have minted privileged keys during the vulnerable window. Audit SimpleHelp session logs for anomalies. Patch Samsung MagicINFO and remove its internet exposure. For D-Link DIR-823X, replace the hardware - there is no fix. Treat May 8 as your own deadline.

Over 10,500 Zimbra servers still vulnerable to actively-exploited XSS as CISA gives federal agencies just three days to patch (CVE-2025-48700)

Shadowserver scan data published Friday shows over 10,500 Zimbra Collaboration Suite instances still unpatched against CVE-2025-48700, a Classic-UI XSS that Synacor fixed in June 2025 but CISA only added to KEV on April 20. Exposed servers split nearly evenly between Asia (3,794) and Europe (3,793). The flaw triggers when a victim simply views a crafted email - no clicks - and runs JavaScript inside their authenticated session for mailbox theft and MFA backup-code retrieval. Zimbra is a recurring APT target: Russia's Winter Vivern, APT29, and APT28 have all run Zimbra-XSS campaigns against NATO and Ukrainian targets.

Check
If you run Zimbra anywhere - including subsidiaries, acquired companies, and overseas regional offices - confirm patch status against CVE-2025-48700 today.
Affected
Zimbra Collaboration Suite 8.8.15, 9.0, 10.0, and 10.1 without the June 2025 security patches. Exploitation requires a user to view a crafted email in the Classic UI; servers using only the Modern UI are not exposed via this specific flaw, but related issues are addressed by the same patch. CVSS 6.1.
Fix
Apply the June 2025 patches across all instances. Where immediate patching is impossible, switch users to the Modern UI as a stopgap and remove webmail from direct internet exposure. Audit the past 60 days of mailbox audit logs for unusual TGZ archive creation, MFA backup-code retrieval, application-password generation, and bulk address-book access. Rotate application passwords issued during the vulnerable window.

LMDeploy LLM-serving SSRF (CVE-2026-33626) exploited within 13 hours of disclosure - attackers used the vision-language image loader as a generic port-scanner against AWS metadata, Redis, and MySQL

Sysdig observed the first in-the-wild exploitation of CVE-2026-33626 against its honeypot fleet 12 hours and 31 minutes after the GitHub advisory went live on April 21. LMDeploy is Shanghai AI Laboratory's open source toolkit for serving vision-language and text LLMs. The flaw is in load_image() in lmdeploy/vl/utils.py: it fetches arbitrary URLs from the image_url field without validating link-local, loopback, or RFC1918 ranges. CVSS 7.5. The attacker used LMDeploy as a generic SSRF primitive over an eight-minute session - port-scanning AWS IMDS, localhost Redis, MySQL, and an admin interface. v0.12.3 fixes it.

Check
If your team runs LLM-serving infrastructure (LMDeploy, vLLM, TGI, Ollama, Ray Serve), audit it this week for unvalidated URL fetching and put proper egress filtering in place.
Affected
LMDeploy versions before 0.12.3 with vision-language support enabled. Cloud GPU inference deployments are at acute risk because the SSRF directly targets the metadata service - on a misconfigured node this yields IAM credentials with broad access to S3 model artifacts, training data, and cross-account roles.
Fix
Upgrade LMDeploy to 0.12.3+. On every cloud-hosted inference node, enforce IMDSv2 with token requirement (this alone defeats IAM exfil). Restrict outbound egress from GPU nodes to required destinations only. Block 169.254.169.254 from inference containers without a use case. Apply the same logic to vision-LLM image loaders, agent tool-use endpoints, and RAG fetchers. Block 103.116.72[.]119 at the edge.

New 'PhantomRPC' bug lets any low-privileged Windows process become SYSTEM - all Windows versions affected, no patch from Microsoft

Kaspersky disclosed PhantomRPC at Black Hat Asia on April 24, an architectural flaw in how Windows handles a core internal communication system called RPC (Remote Procedure Call). When a privileged Windows process tries to talk to an RPC server that isn't running, the operating system doesn't check whether the thing answering is the real one - so a low-privileged attacker can stand up a fake RPC server, intercept the call, and inherit SYSTEM-level access. All Windows versions are affected. Kaspersky demonstrated five different exploitation paths and published the research tools on GitHub. Microsoft has not released a patch.

Check
Treat any unprivileged Windows process as a potential SYSTEM-escalation foothold and tighten EDR rules around suspicious RPC server registrations until Microsoft patches.
Affected
All Windows versions including Windows 10, Windows 11, and Windows Server, plus older builds. Acute risk on multi-user systems, terminal servers, and any host where untrusted code might run as a low-privileged service account such as NETWORK SERVICE - those are the easiest launch points for the technique.
Fix
There is no Microsoft patch yet. Use Kaspersky's public PhantomRPC tooling to audit your environment for exploitable RPC patterns. Tighten EDR detection on processes registering RPC endpoints with privileged-service UUIDs. On terminal servers, limit which low-privileged accounts can run code. Watch Microsoft Security Response Center for updates over the coming weeks.

Federal patch deadline for 13-year-old Apache ActiveMQ flaw is Wednesday - 7,500+ servers still exposed online (CVE-2026-34197)

Federal agencies have until April 30 - this Wednesday - to patch Apache ActiveMQ servers against CVE-2026-34197, a remote code execution flaw that has been hiding in the open source message broker for 13 years. Shadowserver shows more than 7,500 ActiveMQ servers still exposed online and unpatched. The bug normally requires a login, but on ActiveMQ versions 6.0.0 through 6.1.1 a separate older flaw lets attackers skip the login step entirely - making this an unauthenticated remote takeover on those builds. The vulnerability was found using Anthropic's Claude AI assistant by a researcher at Horizon3.ai, who said the discovery was '80% Claude.'

Check
Inventory every Apache ActiveMQ server, including in subsidiary networks and old developer environments, and patch this week before the federal deadline.
Affected
Apache ActiveMQ Classic versions before 5.19.4 and 6.x versions before 6.2.3. CVSS 8.4. ActiveMQ 6.0.0 through 6.1.1 are at acute risk because a separate flaw (CVE-2024-32114) removes the login requirement entirely on those versions, making this an unauthenticated takeover. ActiveMQ Artemis is not affected.
Fix
Upgrade to ActiveMQ Classic 5.19.4 or 6.2.3 (ideally to 5.19.6 or 6.2.5). Change any default admin:admin credentials before exposing the broker again. Hunt broker logs for POSTs to /api/jolokia/ containing 'addNetworkConnector', for unexpected outbound HTTP from the Java process, and for unexpected child processes. Restrict the Jolokia API to internal networks only.

CISA adds actively-exploited Microsoft Defender 'BlueHammer' flaw to KEV as two sibling zero-days (RedSun, UnDefend) remain unpatched (CVE-2026-33825)

CISA added CVE-2026-33825 to its Known Exploited Vulnerabilities catalog on April 23 with a May 7 federal patch deadline. The flaw, nicknamed BlueHammer, is a race condition in Windows Defender's file-remediation logic that lets an unprivileged local attacker overwrite arbitrary files on disk and escalate to SYSTEM on fully-patched Windows 10 and Windows 11 hosts. It was patched in Microsoft's April 8 Patch Tuesday but a working proof-of-concept had already been published to GitHub by a researcher called 'Chaotic Eclipse' on April 7, before the fix shipped. Huntress Labs saw in-the-wild exploitation from April 10, with attackers also picking up two sibling Defender zero-days the same researcher leaked: RedSun (another local privilege escalation) and UnDefend (a denial-of-service that blocks Defender from pulling security definition updates, effectively disarming the EDR). Those two still have no Microsoft patch. The combination - a working privilege-escalation path plus an unpatched technique to silently cripple Defender itself - makes this a priority hunt, not just a priority patch.

Check
Verify that every Windows 10 and Windows 11 endpoint in your fleet has the April 2026 Patch Tuesday update installed and then hunt for the BlueHammer/RedSun/UnDefend technique patterns in your EDR telemetry.
Affected
Windows 10 and Windows 11 endpoints that have not installed the April 8, 2026 Patch Tuesday cumulative update. Note that patching closes BlueHammer (CVE-2026-33825) only - RedSun and UnDefend remain unpatched at time of writing, so patched hosts are still exposed to local privilege escalation via RedSun and to Defender disablement via UnDefend.
Fix
Deploy the April 2026 Patch Tuesday update (which addresses CVE-2026-33825) to every Windows endpoint and verify coverage against MDM or configuration-management inventory rather than trusting WSUS compliance alone. For the two unpatched sibling flaws, tighten EDR rules to alert on: anomalous file writes to Defender-controlled paths, unexpected changes to Defender signature update behavior, and any process attempting to stop or starve MsMpEng.exe. Treat any host where Defender has not received a signature update in over 48 hours as suspicious until proven otherwise. Review Huntress's public IoCs for the three techniques.

Attackers actively exploiting critical unauthenticated file upload flaw in Breeze Cache WordPress plugin on 400,000 sites (CVE-2026-3844)

Wordfence has seen more than 170 live exploit attempts against CVE-2026-3844, a critical unauthenticated arbitrary file upload in the Breeze Cache WordPress plugin from Cloudways. Breeze has roughly 400,000 active installations, making this one of the larger exposure events of the month. The flaw lives in the fetch_gravatar_from_remote function, which fetches avatar images from an arbitrary remote URL and saves them locally without validating the downloaded file's MIME type - so an attacker can point it at a .php payload and drop a webshell directly into a web-accessible directory. The attack is only possible when the 'Host Files Locally - Gravatars' add-on is enabled, which is not the default, but any site that turned it on for performance reasons is wide open. Cloudways shipped the fix as Breeze 2.4.5 earlier this week; as of publication only about 138,000 of the 400,000 installations had downloaded the patched version, leaving hundreds of thousands of sites exposed to a pre-auth RCE with 9.8 CVSS.

Check
Check every WordPress installation you run or manage (including marketing microsites, staff personal sites on corporate subdomains, and legacy tenant sites) for the Breeze Cache plugin and its version.
Affected
Breeze Cache WordPress plugin versions 2.4.4 and earlier, but only when the 'Host Files Locally - Gravatars' sub-feature has been enabled. CVSS 9.8. Discovered by security researcher Hung Nguyen (bashu). If you do not run that sub-feature the plugin is not currently exploitable via this bug, but the fix should still be applied immediately.
Fix
Update Breeze Cache to version 2.4.5 immediately across every site that uses it. If you cannot update straight away, disable the 'Host Files Locally - Gravatars' option or temporarily deactivate the plugin entirely. After patching, hunt the site's wp-content/uploads/cache directory and similar writable paths for recently-created .php files and files with mismatched MIME types, check for new WordPress admin users, and review web server logs for POSTs to the Breeze gravatar endpoint from the exploitation window. Confirm no webshell has been planted before declaring the site clean.

Microsoft ships emergency out-of-band patch for critical ASP.NET Core authentication cookie forgery flaw (CVE-2026-40372)

Microsoft released out-of-band security updates for a critical ASP.NET Core Data Protection flaw that lets unauthenticated attackers forge authentication cookies and escalate to SYSTEM privileges. The bug (CVE-2026-40372) is a regression introduced in the April 2026 Patch Tuesday: the Microsoft.AspNetCore.DataProtection 10.0.0 through 10.0.6 NuGet packages compute the HMAC validation tag (the cryptographic signature that proves a cookie has not been tampered with) over the wrong bytes of the payload and then discard the hash in some cases. The broken check means attackers can forge payloads that pass DataProtection's authenticity checks and decrypt previously-protected data in auth cookies, antiforgery tokens, TempData, and OIDC state. Microsoft noticed the flaw only after users reported decryption failures in their apps after installing the .NET 10.0.6 update. Critical operational detail: updating to 10.0.7 stops future forgeries, but any tokens an attacker already got the app to legitimately sign during the vulnerable window (session refresh tokens, API keys, password reset links) remain valid forever unless you rotate the DataProtection key ring. Patching alone is not enough.

Check
Check whether any ASP.NET Core application you run is on the Microsoft.AspNetCore.DataProtection NuGet package versions 10.0.0 through 10.0.6.
Affected
Microsoft.AspNetCore.DataProtection NuGet package versions 10.0.0 through 10.0.6 (shipped as part of .NET 10.0.0 through .NET 10.0.6).
Fix
Update the Microsoft.AspNetCore.DataProtection package to 10.0.7 and redeploy. Critically, also rotate the DataProtection key ring after patching - any legitimately-signed tokens (session refresh, API keys, password reset links) issued to an attacker during the vulnerable window remain valid until the key ring is rotated. Audit auth logs from April 14 through April 22 for suspicious token issuance.