Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7

Smart Slider 3 Pro update system hijacked - backdoored version pushed to 800,000+ WordPress sites via official channel

Attackers compromised Nextend's update infrastructure and pushed a fully weaponized version of Smart Slider 3 Pro (3.5.1.35) through the official WordPress and Joomla update channel on April 7. Sites with auto-updates enabled received a multi-layered remote access toolkit disguised as a legitimate plugin update. The malicious version was live for approximately six hours before detection. Patchstack's analysis found: unauthenticated remote command execution via crafted HTTP headers, a second authenticated backdoor with PHP eval and OS command execution, a hidden administrator account (prefixed wpsvc_) invisible in the admin interface, persistent backdoors planted in the active theme's functions.php and wp-config.php, and automated credential theft sent to an external server. Traditional defenses like firewalls, nonce verification, and role-based access controls are irrelevant here because the malicious code arrived through the trusted update channel. Affected sites should be considered fully compromised.

Check
Check if any of your WordPress or Joomla sites run Smart Slider 3 Pro. If you updated to version 3.5.1.35 on or after April 7, your site is compromised.
Affected
WordPress and Joomla sites running Smart Slider 3 Pro version 3.5.1.35 that updated between April 7, 2026 and detection ~6 hours later. The free version is not affected. Sites with auto-updates enabled were most at risk.
Fix
If you installed 3.5.1.35: restore from a backup dated April 5 or earlier (to account for time zones). If no backup is available: update to 3.5.1.36, remove the hidden admin user (check for wpsvc_ prefix), clean wp-config.php (remove WP_CACHE_SALT define), clean .htaccess (remove WPCacheSalt line), remove persistence files from theme's functions.php, delete backdoor files in /cache and /media directories, remove malicious wp_options entries (_wpc_ak, _wpc_uid, _wpc_uinfo, _perf_toolkit_source), reset all admin and database passwords, change FTP/SSH and hosting credentials, and enable 2FA for all admin accounts. Sites should be treated as fully compromised - credential theft means passwords are already in attacker hands.

CPUID website hijacked to serve RAT malware through official CPU-Z and HWMonitor downloads

Attackers compromised a backend API on CPUID's website and replaced the official download links for CPU-Z and HWMonitor with trojanized versions containing the STX RAT. The attack lasted approximately six hours between April 9-10, timed to when the lead developer was on holiday. The malicious packages used DLL sideloading - legitimate CPUID executables (still properly signed) were bundled alongside a malicious CRYPTBASE.dll that masquerades as a standard Windows library. When users launched HWMonitor or CPU-Z, the malicious DLL loaded and deployed the RAT entirely in memory, with four independent persistence paths. The primary goal was browser credential theft, specifically targeting Chrome's IElevation COM interface to dump and decrypt saved passwords. The same threat group previously compromised FileZilla downloads in early March 2026. CPUID's signed original files were not tampered with - this was an infrastructure attack redirecting download links to attacker-controlled Cloudflare R2 storage.

Check
Check if anyone in your organization downloaded CPU-Z or HWMonitor from cpuid.com between April 9-10. These are popular IT diagnostic tools that sysadmins and technicians frequently download.
Affected
Anyone who downloaded CPU-Z 2.19, HWMonitor 1.63, or other CPUID utilities from cpuid.com during the approximately six-hour compromise window (April 9-10, 2026). If the installer showed Russian-language prompts or was named HWiNFO_Monitor_Setup.exe instead of the expected CPUID filename, the system is compromised.
Fix
If you downloaded during the compromise window: consider the host fully compromised and re-image the machine. The malware has 4 independent persistence paths and may have delivered additional C2 payloads. At minimum: rotate all browser-saved passwords immediately (Chrome passwords are the primary theft target), scan for the CRYPTBASE.dll sideloading indicator, and block supp0v3[.]com at the network level. For ongoing protection: verify file hashes against known-good CPUID releases before running.

Unpatched Adobe Reader zero-day exploited since December - malicious PDFs steal data with zero clicks

An unpatched zero-day in Adobe Acrobat Reader has been actively exploited since at least November 2025 using booby-trapped PDF documents. The exploit, discovered by EXPMON researcher Haifei Li, works on the latest version of Adobe Reader without any user interaction beyond opening the file. It abuses privileged Acrobat JavaScript APIs (util.readFileIntoStream and RSS.addFeed) to silently harvest local files, OS details, language settings, and the Reader version from the victim's machine, then sends everything to an attacker-controlled server. The PDFs use Russian-language lures related to the oil and gas industry. The attack is a two-stage operation: the first pass fingerprints the target, and if the system meets the attacker's criteria, a follow-on RCE or sandbox escape payload is delivered. Only 5 out of 64 antivirus engines on VirusTotal detected the sample. No CVE has been assigned and no patch is available.

Check
Warn staff not to open PDF attachments from unknown or unexpected sources until Adobe releases a patch. This is especially urgent because the exploit requires no interaction beyond opening the file.
Affected
All current versions of Adobe Acrobat Reader on Windows and macOS. The exploit was confirmed working on Adobe Reader version 26.00121367, the latest at time of discovery.
Fix
No patch available yet - Adobe has been notified but has not released a fix. Immediate mitigations: disable JavaScript in Adobe Reader (Edit > Preferences > JavaScript > uncheck 'Enable Acrobat JavaScript'). Block outbound HTTP/HTTPS traffic containing 'Adobe Synchronizer' in the User-Agent header. Block the known C2 IP 169.40.2.68 on port 45191. Consider switching to an alternative PDF reader (like Foxit or browser-based viewing) until Adobe patches.

Ninja Forms WordPress plugin allows unauthenticated file upload leading to remote code execution

A critical vulnerability in the Ninja Forms File Uploads premium add-on for WordPress allows attackers to upload arbitrary files - including PHP web shells - without any authentication. Over 800,000 WordPress sites use Ninja Forms, and the File Uploads extension is one of its most popular premium add-ons. Successful exploitation gives an attacker full code execution on the web server. No user interaction required - just a crafted request to the file upload endpoint.

Check
Check if any of your WordPress sites use the Ninja Forms File Uploads premium add-on. This is a premium extension, not the free Ninja Forms base plugin.
Affected
WordPress sites running the Ninja Forms File Uploads premium add-on (vulnerable versions not yet confirmed in public reporting). The free base Ninja Forms plugin alone is not affected.
Fix
Update the Ninja Forms File Uploads add-on to the latest version immediately. If you can't patch right away, temporarily disable the file upload functionality. Review your web server logs for unexpected file uploads in the Ninja Forms upload directory. Use a WAF rule to block PHP file uploads to Ninja Forms endpoints.

Docker Engine authorization bypass lets attackers escape containers and access host credentials (CVE-2026-34040)

A high-severity Docker Engine flaw allows attackers to bypass authorization plugins with a single oversized HTTP request. CVE-2026-34040 (CVSS 8.8) stems from an incomplete fix for CVE-2024-41110 from July 2024 - the original patch missed requests over 1MB, which get forwarded to the Docker daemon without their body, so the AuthZ plugin sees nothing to block while the daemon processes the full malicious payload. The result: a privileged container with root access to the host filesystem, exposing AWS credentials, SSH keys, Kubernetes configs, and everything else on the machine. Critically, Cyera researchers demonstrated that AI coding agents running inside Docker sandboxes can be tricked via prompt injection into crafting the bypass request themselves - no human attacker needed.

Check
Check if you use Docker with authorization plugins (OPA, Prisma Cloud, or custom AuthZ policies). If you don't use AuthZ plugins, you're not affected by this specific flaw.
Affected
Docker Engine versions prior to 29.3.1 when running with AuthZ plugins enabled. The underlying flaw has existed since Docker Engine 1.10. Environments running AI agents or developer tools inside Docker containers are at elevated risk.
Fix
Update Docker Engine to version 29.3.1. If you can't patch immediately: avoid AuthZ plugins that rely on request body inspection, restrict Docker API access to trusted parties only, or run Docker in rootless mode so that even a privileged container maps to an unprivileged host UID. For AI agent sandboxes, apply the --userns-remap setting to limit blast radius.

Unpatched Windows zero-day "BlueHammer" leaked after researcher's dispute with Microsoft - exploit code public, no fix available

A frustrated security researcher published working exploit code for an unpatched Windows local privilege escalation flaw after Microsoft's Security Response Center mishandled the disclosure. The researcher, posting as Chaotic Eclipse, dropped the proof-of-concept on GitHub on April 3 with the message "I was not bluffing Microsoft." Will Dormann of Tharsos confirmed the exploit works - it combines a TOCTOU race condition with path confusion to access the SAM database containing local account password hashes, enabling escalation to SYSTEM privileges. The exploit is confirmed working on Windows desktop but unreliable on Windows Server. The researcher deliberately included bugs in the PoC, but the underlying technique is now public and weaponizable.

Check
Assess your Windows endpoint fleet's exposure. This is a local privilege escalation - it requires an attacker to already have local access, making it a post-compromise escalation tool.
Affected
Windows desktop systems (Windows 10, Windows 11). Windows Server appears less affected - testing shows the exploit is unreliable on Server editions. No CVE has been assigned yet.
Fix
No patch available - this is an unpatched zero-day. Mitigate by restricting local user permissions to minimum necessary, monitoring EDR for unusual privilege escalation and SAM database access attempts, and hardening against the initial access vectors (phishing, stolen credentials) that would give attackers the local foothold they need. Watch for a Microsoft patch in an upcoming Patch Tuesday or out-of-band update.

Second FortiClient EMS zero-day in two weeks - emergency patch for pre-auth API bypass, actively exploited (CVE-2026-35616)

If you patched FortiClient EMS for CVE-2026-21643 two weeks ago by upgrading to 7.4.5, you're now vulnerable to a new zero-day. CVE-2026-35616 is a CVSS 9.1 pre-authentication API access bypass affecting versions 7.4.5 and 7.4.6 - the exact versions customers upgraded to. Defused Cyber spotted exploitation in the wild starting March 31. Fortinet released an emergency weekend hotfix on Saturday, with watchTowr noting attackers deliberately timed this for the Easter holiday when security teams are at half strength.

Check
If you run FortiClient EMS 7.4.5 or 7.4.6, treat this as an emergency - apply the hotfix now, not after the holiday.
Affected
FortiClient EMS 7.4.5 and 7.4.6 only. The 7.2 branch and FortiEMS Cloud are not affected.
Fix
Apply the emergency hotfix for your version immediately: hotfix for 7.4.5 or hotfix for 7.4.6 (see Fortinet release notes). Upgrade to 7.4.7 when available. Restrict the EMS web interface to management VLANs only. Review logs for unusual API requests since March 31.

766+ Next.js hosts breached in automated React2Shell credential theft campaign (CVE-2025-55182)

Cisco Talos uncovered a large-scale automated campaign by threat cluster UAT-10608 that exploits React2Shell - a CVSS 10.0 pre-auth RCE flaw in React Server Components used by Next.js. One crafted HTTP request is all it takes to get code execution, no credentials needed. The attackers scan with Shodan and Censys, breach Next.js apps, then deploy the NEXUS Listener framework to harvest database credentials, SSH keys, AWS tokens, Stripe API keys, Kubernetes secrets, and GitHub tokens at scale. At least 766 hosts across multiple cloud providers were compromised within 24 hours.

Check
Check if you run any Next.js applications using React Server Components, especially internet-facing deployments on AWS, GCP, or Azure.
Affected
React Server Components packages versions 19.0, 19.1.0, 19.1.1, and 19.2.0. Any Next.js application using the App Router with these React versions is vulnerable.
Fix
Update React Server Components to a patched version immediately. Rotate all credentials on any server running a vulnerable Next.js deployment - database passwords, SSH keys, AWS keys, Stripe keys, GitHub tokens. Enforce AWS IMDSv2 to prevent cloud metadata credential theft. Enable secret scanning in your repos. Monitor for outbound connections to NEXUS Listener C2 infrastructure.

Progress ShareFile pre-auth RCE chain disclosed - 30,000 instances exposed, ransomware gangs watching (CVE-2026-2699, CVE-2026-2701)

Two flaws in Progress ShareFile's Storage Zones Controller can be chained for unauthenticated remote code execution - no credentials needed. An attacker first bypasses authentication via improper HTTP redirect handling, then uploads a malicious webshell through the file upload function. watchTowr published full technical details and a proof-of-concept. Around 30,000 instances are exposed online. File transfer solutions are a favorite ransomware target - Clop hit Accellion, GoAnywhere, MOVEit, and Cleo the same way.

Check
Check if you run Progress ShareFile with customer-managed Storage Zones Controller on branch 5.x.
Affected
ShareFile Storage Zones Controller 5.x versions prior to 5.12.4. Cloud-only ShareFile deployments are not affected.
Fix
Update to ShareFile Storage Zones Controller 5.12.4 or later (released March 10). Audit web server logs for requests to /ConfigService/Admin.aspx. Check the webroot for unexpected ASPX files that could indicate existing compromise.

Cisco IMC authentication bypass lets unauthenticated attackers take full admin control of servers (CVE-2026-20093)

Cisco patched a CVSS 9.8 authentication bypass in its Integrated Management Controller - the hardware-level management system built into Cisco UCS servers. An attacker sends one crafted HTTP request to the password change function and can reset any user's password, including Admin, without any credentials. Because IMC operates below the operating system on a dedicated baseboard controller with its own IP address, traditional endpoint security tools can't detect or stop it. The flaw affects dozens of Cisco product lines including APIC servers, Secure Firewall Management Center, and Cyber Vision appliances.

Check
Check if any Cisco UCS C-Series M5/M6 servers, ENCS 5000, Catalyst 8300, or UCS E-Series systems have their IMC web interface accessible from the network.
Affected
Cisco UCS C-Series M5 and M6 Rack Servers (standalone mode), 5000 Series ENCS, Catalyst 8300 Edge uCPE, UCS E-Series M3/M6, plus dozens of appliances built on preconfigured UCS C-Series including APIC, Secure Firewall Management Center, and Cyber Vision Center.
Fix
Update Cisco IMC firmware: ENCS 5000 to 4.15.5, UCS C-Series to 4.3(2.260007), 4.3(6.260017), or 6.0(1.250174) depending on track. Restrict IMC interface access to a dedicated management VLAN. Audit existing IMC user accounts for any unauthorized password changes.