Weekly Threat Landscape Digest – Week 16

1. Critical Vulnerability in Juniper JSI vLWC Enabling Unauthorized Administrative Access

• A critical vulnerability has been identified in Juniper Networks Support Insights Virtual Lightweight Collector (vLWC) that allows unauthenticated attackers to gain full administrative access.
• CVE-2026-33784 (CVSS 9.8) is caused by a default high-privileged account password that is not enforced to be changed during system provisioning.
• Attackers can exploit this weakness remotely without authentication to access the system.
• The vulnerability impacts all versions of JSI vLWC prior to version 3.0.94.
• The issue is resolved in JSI vLWC version 3.0.94 and later.

Impact:

• Successful exploitation may allow attackers to gain full control of the affected system.
• Attackers may perform unauthorized configuration changes, access sensitive data, and disrupt services.
• Compromised systems could be used as a pivot point for further network intrusion.

Recommendations:

• Immediately upgrade all affected JSI vLWC instances to version 3.0.94 or later.
• Change all default credentials and enforce strong password policies.
• Restrict access to management interfaces using VPN or IP allowlisting.
• Monitor system logs for unauthorized access attempts or suspicious activity.
• Conduct a security assessment to identify potential compromise.

Reference:

• https://supportportal.juniper.net/s/article/2026-04-Security-Bulletin-vLWC-Default-password-is-not-required-to-be-changed-which-allows-unauthorized-high-privileged-access-CVE-2026-33784

2. Actively Exploited Vulnerabilities in Microsoft Windows Products

Technical Details / Key Points:
• Multiple vulnerabilities across Microsoft Windows, Exchange Server, and Visual Basic for Applications (VBA) are actively exploited in the wild.
• CVE-2025-60710 – Windows Link Following Vulnerability allows local privilege escalation due to improper link resolution in Host Process for Windows Tasks.
• CVE-2023-36424 – Out-of-Bounds Read vulnerability enables attackers to elevate privileges from Medium to High Integrity Level.
• CVE-2023-21529 – Microsoft Exchange Server Remote Code Execution vulnerability allows authenticated attackers to execute arbitrary code via network calls.
• CVE-2012-1854 – VBA Insecure Library Loading vulnerability allows remote code execution when a malicious DLL is loaded via a legitimate Office file.
• These vulnerabilities impact widely used enterprise systems and are confirmed under active exploitation.

Impact:
• Attackers may achieve privilege escalation and gain full system control.
• Remote code execution on Exchange servers may lead to email compromise and lateral movement.
• Exploitation of VBA vulnerability can result in full user-level compromise through malicious documents.
• Active exploitation significantly increases risk to unpatched systems, especially internet-facing assets.

Recommendations:
• Immediately apply Microsoft Patch Tuesday updates for Windows, Exchange Server, and VBA.
• Prioritize patching of internet-facing systems and Exchange servers.
• Restrict execution of untrusted Office files and enforce macro security policies.
• Monitor for suspicious privilege escalation activity and abnormal process behavior.
• Conduct threat hunting for indicators of compromise related to these CVEs.

Reference:
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-60710
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36424
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21529
• https://learn.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-046

3. SAP Security Patch Day Advisory – April 2026

Technical Details / Key Points:
• SAP released its April 2026 Security Patch Day updates addressing 19 new vulnerabilities and 1 updated security note across core platforms including SAP S/4HANA, SAP ERP, SAP NetWeaver, and SAP BusinessObjects.
• The most critical vulnerability, CVE-2026-27681 (CVSS 9.9), is a SQL Injection flaw affecting SAP Business Planning and Consolidation (BPC) and SAP Business Warehouse (BW).
• This vulnerability may allow attackers to execute arbitrary SQL queries leading to full database compromise.
• A high-severity vulnerability, CVE-2026-34256 (CVSS 7.1), involves a missing authorization check impacting SAP ERP and SAP S/4HANA.
• Multiple medium and low severity vulnerabilities affect components such as SAP NetWeaver, SAP BusinessObjects, SAP HANA, and S/4HANA OData services.
• These vulnerabilities impact widely deployed enterprise environments handling critical business data.

Impact:
• Exploitation of the critical SQL injection vulnerability may lead to full database compromise and data exfiltration.
• High-severity issues may allow unauthorized access to sensitive business functions.
• Medium vulnerabilities may expose systems to information disclosure, service disruption, or partial compromise.
• Unpatched SAP environments may face significant operational and financial risks.

Recommendations:
• Immediately apply SAP April 2026 Security Patch Day updates.
• Prioritize remediation of CVE-2026-27681 (Critical) and other high-severity vulnerabilities.
• Restrict access to SAP applications and administrative interfaces.
• Monitor SAP logs for suspicious database queries and unauthorized access attempts.
• Conduct a security review of SAP environments to identify potential exposure.

Reference:
• https://support.sap.com/en/my-support/knowledge-base/security-notes-news/april2026.html

4. Microsoft Security Updates – April 2026 (Patch Tuesday)

Technical Details / Key Points:
• Microsoft released April 2026 Patch Tuesday updates addressing 167 vulnerabilities across its ecosystem.
• The update includes an actively exploited zero-day vulnerability (CVE-2026-32201) affecting Microsoft SharePoint Server.
• The zero-day is a spoofing vulnerability that is already being exploited in the wild.
• Multiple Remote Code Execution (RCE) vulnerabilities impact Windows TCP/IP, IKEv2, Active Directory, Remote Desktop Client, and Microsoft Office.
• A large number of Elevation of Privilege (EoP) vulnerabilities affect core components such as WinSock, CLFS Driver, Desktop Window Manager, and Windows COM.
• Security feature bypass vulnerabilities impact BitLocker, Secure Boot, and Windows Hello.
• Additional spoofing vulnerabilities affect RDP, Windows Shell, and related components.

Impact:
• Exploitation of the zero-day SharePoint vulnerability may lead to unauthorized access and compromise of enterprise collaboration systems.
• RCE vulnerabilities may allow attackers to execute arbitrary code remotely on affected systems.
• EoP vulnerabilities enable attackers to escalate privileges after initial compromise.
• Security feature bypasses weaken system protections, increasing overall attack surface.
• Unpatched systems, especially internet-facing servers, are at high risk of compromise.

Recommendations:
• Immediately apply Microsoft April 2026 Patch Tuesday updates across all systems.
• Prioritize patching of public-facing SharePoint servers and internet-exposed services.
• Restrict or isolate access to vulnerable SharePoint instances.
• Monitor for suspicious activity related to RCE, privilege escalation, and spoofing attempts.
• Conduct threat hunting for indicators of compromise, especially on critical infrastructure systems.

Reference:
• https://msrc.microsoft.com/update-guide/releaseNote/2026-Apr

5. Critical Vulnerabilities in Fortinet Products

Technical Details / Key Points:
• Multiple critical vulnerabilities have been identified across Fortinet products including FortiOS, FortiManager, FortiAnalyzer, FortiSandbox, FortiClientEMS, and FortiSOAR.
• Several vulnerabilities allow remote code execution (RCE), authentication bypass, and unauthorized system access.
• CVE-2026-22828 – Heap-based buffer overflow in FortiAnalyzer Cloud enabling unauthenticated RCE via crafted requests.
• CVE-2026-39808 – OS command injection in FortiSandbox allowing remote unauthenticated command execution.
• CVE-2026-39809 / 39815 – SQL injection vulnerabilities in FortiClientEMS and FortiDDoS-F enabling arbitrary database queries.
• CVE-2026-39813 – Authentication bypass and path traversal in FortiSandbox API.
• Additional vulnerabilities include SSRF, XSS, credential exposure, cleartext transmission, DoS, and file operation abuses.
• CVE-2025-61624 – Path traversal vulnerability enabling arbitrary file write/delete across multiple Fortinet products.

Impact:
• Attackers may gain initial access and execute arbitrary commands remotely.
• Unauthorized access could lead to full system compromise and data exfiltration.
• Authentication bypass and credential exposure increase risk of account takeover.
• Exploitation of internet-facing Fortinet devices may lead to widespread network compromise.

Recommendations:
• Immediately apply latest Fortinet patches and firmware updates.
• Prioritize internet-facing systems such as FortiOS, FortiManager, and FortiAnalyzer.
• Restrict administrative access to trusted networks or VPN.
• Monitor logs for suspicious API calls, authentication bypass attempts, and abnormal traffic.
• Conduct a full security assessment to detect potential compromise.

Reference:
• https://fortiguard.fortinet.com/psirt

6. Multiple Vulnerabilities in Synology DiskStation Manager (DSM)

Technical Details / Key Points:
• Multiple vulnerabilities have been identified in Synology DiskStation Manager (DSM) that may allow file access, data exposure, and denial-of-service attacks.
• CVE-2026-40530 (CVSS 8.0) – CRLF Injection vulnerability enabling arbitrary file read/write and DoS.
• CVE-2026-40539 (CVSS 7.1) – Improper certificate validation allowing man-in-the-middle (MITM) attacks.
• CVE-2026-4036 (CVSS 6.5) – SQL Injection vulnerability leading to sensitive data exposure.
• Additional vulnerabilities (CVE-2026-40531 / 40532 / 40534 / 40536 / 40537) include Integer Overflow, Forced Browsing, XSS, Path Traversal, and SSRF.
• Further issues (CVE-2026-40533 / 40535 / 40538) involve information disclosure, path traversal, and improper authentication controls.
• Vulnerabilities may be exploited by authenticated or unauthenticated attackers depending on configuration.

Impact:
• Attackers may read or modify arbitrary files on affected systems.
• Sensitive information exposure may occur through SQL injection and misconfigurations.
• MITM vulnerabilities may compromise secure communications.
• Systems may be impacted by denial-of-service attacks affecting availability.
• Exploitation could lead to partial or full compromise of NAS environments.

Recommendations:
• Upgrade DSM to the latest fixed versions immediately:

• DSM 7.3 → 7.3.2-86009-2 or later 
• DSM 7.2.2 → 7.2.2-72806-7 or later 
• DSM 7.2.1 → 7.2.1-69057-10 or later
  • Restrict external access to DSM management interfaces.
  • Enable HTTPS and validate certificates to prevent MITM attacks.
  • Monitor logs for suspicious file access, authentication attempts, and abnormal activity.
  • Conduct regular vulnerability assessments of NAS systems. 

Reference:
• https://www.synology.com/en-my/security/advisory/Synology_SA_26_06

7. Security Updates – Adobe Products

Technical Details / Key Points:
• Adobe has released security updates addressing multiple vulnerabilities across products including Acrobat Reader, InDesign, InCopy, Experience Manager, FrameMaker, Connect, ColdFusion, Bridge, Photoshop, DNG SDK, and Illustrator.
• Several critical vulnerabilities allow arbitrary code execution, including:

• CVE-2026-34622 / 34626 – Acrobat Reader (Prototype Pollution) 
• Multiple CVEs in InDesign, InCopy, FrameMaker, Bridge, Photoshop, and Illustrator enabling code execution
  • Adobe Connect vulnerabilities include deserialization flaws, XSS leading to code execution, and privilege escalation.
  • Adobe ColdFusion vulnerabilities include path traversal, arbitrary code execution, and security bypass issues.
  • Adobe Experience Manager (AEM) vulnerabilities include XSS that could lead to code execution.
  • Additional issues include denial-of-service (DoS), memory exposure, and file system read vulnerabilities across multiple products.
  • These vulnerabilities affect widely used enterprise and creative software environments. 

Impact:
• Attackers may execute arbitrary code on affected systems.
• Sensitive data exposure may occur through memory leaks and file read vulnerabilities.
• XSS and deserialization flaws may allow session hijacking and system compromise.
• Exploitation may lead to privilege escalation and full system takeover.
• Unpatched systems are at risk, especially where Adobe products handle untrusted files or web content.

Recommendations:
• Immediately apply the latest Adobe security updates across all affected products.
• Prioritize patching of internet-facing services such as Adobe Experience Manager and Adobe Connect.
• Restrict opening of untrusted files, especially PDFs and design documents.
• Monitor systems for suspicious activity, including abnormal file execution and application crashes.
• Refer to Adobe Security Bulletins for detailed patch guidance and affected versions.

Reference:
• https://helpx.adobe.com/security/security-bulletin.html

8. Multiple Critical Vulnerabilities in Google Chrome

Technical Details / Key Points:
• Google has released a Chrome Stable Channel update addressing 31 security vulnerabilities, including multiple critical memory corruption flaws.
• Critical vulnerabilities include heap buffer overflows and use-after-free conditions that may lead to remote code execution (RCE).
• Key critical CVEs:

• CVE-2026-6296 – Heap buffer overflow in ANGLE 
• CVE-2026-6297 – Use-after-free in Proxy 
• CVE-2026-6298 – Heap buffer overflow in Skia 
• CVE-2026-6299 – Use-after-free in Prerender 
• CVE-2026-6358 – Use-after-free in XR
  • High severity vulnerabilities affect components such as Video, CSS, Turbofan (V8), PDFium, GPU, Media, Permissions, and FileSystem.
  • Medium severity issues include type confusion and out-of-bounds read vulnerabilities in V8 and Skia.
  • Fixed versions: 
• Chrome 147.0.7727.101/102 (Windows/Mac) 
• Chrome 147.0.7727.101 (Linux) 

Impact:
• Successful exploitation may allow attackers to execute arbitrary code via malicious web pages.
• Memory corruption vulnerabilities may lead to full browser compromise and potential system takeover.
• Users may be exposed to drive-by attacks simply by visiting a malicious or compromised website.
• Exploitation could result in data theft, session hijacking, or further malware deployment.

Recommendations:
• Immediately update Google Chrome to the latest fixed version.
• Enable automatic updates across all endpoints.
• Restrict access to untrusted or malicious websites.
• Monitor systems for abnormal browser behavior or crashes.
• Apply endpoint protection and browser isolation where possible.

Reference:
• https://chromereleases.googleblog.com/

9. Critical Vulnerabilities in Cisco ISE & Webex

Technical Details / Key Points:
• Multiple critical vulnerabilities have been disclosed affecting Cisco Identity Services Engine (ISE), ISE Passive Identity Connector (ISE-PIC), and Cisco Webex Services.
• CVE-2026-20147 (CVSS 9.9) – Remote Code Execution in Cisco ISE/ISE-PIC via crafted HTTP requests due to insufficient input validation.
• CVE-2026-20148 (CVSS 4.9) – Path Traversal vulnerability allowing access to sensitive files.
• Additional RCE vulnerabilities:

• CVE-2026-20180 / CVE-2026-20186 (CVSS 9.9) – Allow remote code execution with only read-only admin privileges.
  • CVE-2026-20184 (CVSS 9.8) – Webex SSO certificate validation flaw enabling authentication bypass and user impersonation.
  • Vulnerabilities may be exploited via crafted HTTP requests or SSO tokens.
  • Fixed versions available for Cisco ISE across multiple patch levels; Webex issue patched cloud-side with required configuration updates. 

Impact:
• Attackers may execute arbitrary commands and gain root-level access on affected systems.
• Path traversal may expose sensitive configuration files and credentials.
• Webex vulnerability may allow attackers to impersonate users and gain unauthorized access.
• Exploitation may result in full system compromise, service disruption, and data exposure.

Recommendations:
• Immediately upgrade Cisco ISE and ISE-PIC to the latest patched versions.
• Validate patch deployment across all nodes in the environment.
• Update SAML IdP certificates in Webex Control Hub and verify trust chains.
• Restrict administrative access to trusted networks and enforce least privilege.
• Monitor logs for suspicious authentication attempts, HTTP requests, and abnormal activity.

Reference:
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-rce-4fverepv
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-cui-cert-8jSZYhWL
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-rce-traversal-8bYndVrZ

10. High-Severity SQL Injection Vulnerability in ManageEngine Password Manager Pro & PAM360

Technical Details / Key Points:
• A high-severity SQL Injection vulnerability has been identified in ManageEngine Password Manager Pro and PAM360.
• CVE-2026-5785 – The flaw is caused by improper input validation, allowing attackers to execute arbitrary SQL queries.
• The vulnerability can be exploited by users with Password Auditor role (low privilege).
• Successful exploitation may allow privilege escalation to Privileged Administrator level.
• Affected versions:

• Password Manager Pro: 8600 to 13230 
• PAM360: up to version 8530
  • Fixed versions: 
• Password Manager Pro: 13231 
• PAM360: 8531 

Impact:
• Attackers may escalate privileges from low-level access to full administrative control.
• Unauthorized access to sensitive credentials and privileged accounts.
• Ability to perform critical administrative actions within the system.
• Potential compromise of enterprise password vaults and infrastructure.

Recommendations:
• Immediately upgrade to the latest fixed versions.
• Restrict access to privileged roles and enforce least privilege principles.
• Monitor logs for suspicious database queries and privilege escalation attempts.
• Conduct security audit of privileged access systems.
• Apply vendor-recommended mitigations and security best practices.

Reference:
• https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2026-5785.html

11. Security Updates – GitLab Community Edition (CE) & Enterprise Edition (EE)

Technical Details / Key Points:
• GitLab released security updates addressing multiple vulnerabilities in Community Edition (CE) and Enterprise Edition (EE).
• Vulnerabilities impact core components including WebSockets, GraphQL APIs, Terraform state handling, CSV processing, analytics dashboards, and access control mechanisms.
• High-severity issues include CVE-2026-5173 (WebSocket exposed method abuse), CVE-2026-1092 (Terraform state lock API DoS), and CVE-2025-12664 (GraphQL API DoS).
• Medium-severity issues include CSV import/export DoS, GraphQL SBOM API DoS, XSS in analytics dashboards, authorization flaws in vulnerability flag API, data disclosure via GraphQL and CSV exports, and improper environment access control.
• Low-severity issue includes CVE-2026-4916 enabling custom role permission escalation.
• Fixed versions: GitLab CE/EE 18.10.3, 18.9.5, 18.8.9

Impact:
• Attackers may cause service disruption affecting CI/CD and DevOps pipelines.
• Sensitive data exposure including emails, project data, and system configurations.
• XSS and authorization flaws may enable session compromise and privilege misuse.
• Potential impact on code integrity and software delivery pipelines.

Recommendations:
• Immediately upgrade GitLab CE/EE to patched versions 18.10.3 / 18.9.5 / 18.8.9 or later.
• Restrict access to GitLab API, WebSocket, and administrative interfaces.
• Monitor GraphQL and WebSocket activity for abnormal or repeated requests.
• Enforce least privilege access and review user roles regularly.
• Enable logging and alerting for API abuse and anomalous behavior.

Reference:
• https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/#cve-2026-5173—exposed-method-issue-in-websocket-connections-impactsgitlab-ceee 

12. Critical Vulnerability in Adobe Acrobat Reader and Adobe Acrobat

Technical Details / Key Points:
• Adobe released a Priority 1 (Critical) update addressing CVE-2026-34621, a Prototype Pollution vulnerability affecting Acrobat and Reader on Windows and macOS.
• The vulnerability is confirmed as actively exploited in the wild, increasing the immediate risk to users.
• CVE-2026-34621 (CVSS 9.6) allows remote attackers to achieve arbitrary code execution via specially crafted malicious PDF files.
• Successful exploitation may lead to full system compromise without requiring user privileges.
• Affected products include Acrobat DC, Acrobat Reader DC, and Acrobat 2024 (Classic versions).
• Patched versions have been released for all affected platforms, resolving the vulnerability.

Impact:
• Attackers can execute arbitrary code on victim systems through malicious PDF documents.
• Active exploitation increases risk of widespread compromise across enterprise and personal endpoints.
• Compromised systems may be used for data theft, malware deployment, or lateral movement within networks.
• High likelihood of phishing and malicious document-based attack campaigns.

Recommendations:
• Immediately update Adobe Acrobat and Acrobat Reader to the latest patched versions.
• Block or restrict execution/opening of untrusted PDF files where possible.
• Enable protected mode and sandboxing features in Adobe Reader.
• Monitor endpoints for unusual PDF execution behavior or exploitation attempts.
• Prioritize patching across all user endpoints, especially email-handling systems.

Reference:
• https://helpx.adobe.com/security/products/acrobat/apsb26-43.html

13. Exploited Critical Vulnerability in Marimo (Python Notebook Platform)

Technical Details / Key Points:
• A critical remote code execution vulnerability CVE-2026-39987 has been identified in the open-source Python notebook platform Marimo.
• The vulnerability has been actively exploited within hours of public disclosure, indicating rapid weaponization.
• CVE-2026-39987 (CVSS 9.3) allows unauthenticated attackers to achieve full system-level remote code execution.
• The flaw exists due to a misconfigured WebSocket endpoint exposed to the network.
• Exploitation activity includes reconnaissance and credential harvesting, suggesting active attacker engagement.
• Affected versions include Marimo ≤ 0.20.4, with a fix available in v0.23.0.

Impact:
• Attackers may gain full system compromise without authentication.
• Sensitive data such as environment variables, SSH keys, and configuration files may be exposed.
• Compromised instances can be used for persistence, data theft, and lateral movement.
• Internet-exposed deployments are at immediate high risk due to active exploitation.

Recommendations:
• Immediately upgrade Marimo to version v0.23.0 or later.
• Disable or restrict external network access to Marimo instances until patched.
• Monitor for unauthorized WebSocket activity and unusual system behavior.
• Conduct immediate security review of exposed environments and credentials.
• Remove or isolate internet-facing deployments where possible.

Reference:
• https://github.com/marimo-team/marimo/security/advisories/GHSA-2679-6mx9-h9xc

14. Critical Vulnerability in Axios (Node.js HTTP Client)

Technical Details / Key Points:
• A critical vulnerability CVE-2026-40175 has been identified in Axios, a widely used HTTP client for Node.js and browser environments.
• The flaw enables attackers to escalate issues like prototype pollution into remote code execution (RCE) or full cloud environment compromise.
• CVE-2026-40175 (CVSS 10.0) arises from improper handling of HTTP headers in lib/adapters/http.js.
• The vulnerability involves header injection, request smuggling, and SSRF escalation, classified under CWE-113 (CRLF injection).
• Affected versions include Axios < 1.13.2, with fixes available in 1.15.0 and later.
• Public proof-of-concept code is available, increasing exploitation risk.

Impact:
• Attackers may exploit this flaw to achieve remote code execution in dependent applications.
• Cloud environments using vulnerable Axios versions may face full infrastructure compromise.
• SSRF exploitation can lead to internal network access and sensitive data exposure.
• Prototype pollution chains may amplify impact across multiple dependencies.

Recommendations:
• Immediately upgrade Axios to version 1.15.0 or later.
• Implement strict HTTP header validation and input sanitization.
• Audit applications using Axios for indirect dependency exposure.
• Monitor for SSRF patterns, abnormal header manipulation, and request anomalies.
• Apply security patches across all Node.js and JavaScript-based applications using Axios.

Reference:
• https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx

15. Multiple Vulnerabilities in Apache Storm

Technical Details / Key Points:
• Multiple vulnerabilities have been identified in Apache Storm that may allow authenticated attackers to execute arbitrary code or compromise administrator sessions.
• CVE-2026-35337 (Severity: Important) – Improper deserialization of a base64-encoded Kerberos TGT using ObjectInputStream.readObject() without validation.

• An authenticated attacker can send a crafted object via Nimbus Thrift API.
• May result in remote code execution (RCE) on Nimbus and Worker nodes.

• CVE-2026-35565 (Severity: Moderate) – Stored cross-site scripting (XSS) in Storm UI due to unsafe HTML rendering using innerHTML.

• Allows JavaScript injection when topology metadata is viewed by an administrator.
• May lead to session hijacking or privilege abuse.

• Affected versions: Apache Storm < 2.8.6
  • Fixed version: Apache Storm 2.8.6 or later

Impact:
• Attackers with authenticated access may achieve remote code execution on cluster components.
• XSS vulnerabilities may lead to administrator session compromise and privilege escalation.
• Compromise of Storm infrastructure may impact distributed data processing pipelines.
• Potential disruption or manipulation of streaming and analytics workloads.

Recommendations:
• Immediately upgrade Apache Storm to version 2.8.6 or later.
• Restrict access to Nimbus Thrift API and Storm UI to trusted networks only.
• Enforce strong authentication and role-based access control.
• Sanitize all user-controlled inputs in dashboards and UI components.
• Monitor for unusual topology submissions, deserialization attempts, and admin session anomalies.

Reference:
• https://lists.apache.org/thread/tsv264jx9mo3qm44snpogtono9zm128l
• https://lists.apache.org/thread/98b9fp9t77y2m4m3l1msxkjz59tqlpvg

16. Multiple Vulnerabilities in Apache Tomcat

Technical Details / Key Points:
• Multiple vulnerabilities have been identified in Apache Tomcat that may lead to sensitive data exposure, authentication bypass, and encryption bypass.
• CVE-2026-29146 (High Severity) – Padding oracle attack in EncryptInterceptor allowing attackers to decrypt sensitive data without the encryption key.
• CVE-2026-34486 (High Severity) – Regression flaw in EncryptInterceptor fix, enabling bypass and exposure of sensitive data in unencrypted form.
• CVE-2026-34500 (Medium Severity) – OCSP soft-fail authentication bypass where CLIENT_CERT authentication may incorrectly succeed during OCSP validation errors.
• These vulnerabilities impact confidentiality and authentication integrity in affected Tomcat deployments.

Affected Versions:
• Apache Tomcat 9.x (prior to 9.0.117)
• Apache Tomcat 10.1.x (prior to 10.1.54)
• Apache Tomcat 11.x (prior to 11.0.21)

Fixed Versions:
• Apache Tomcat 9.0.117 or later
• Apache Tomcat 10.1.54 or later
• Apache Tomcat 11.0.21 or later

Impact:
• Attackers may decrypt sensitive application data without encryption keys.
• Authentication mechanisms may be bypassed under specific conditions.
• Exposure of unencrypted sensitive information may lead to data breaches.
• Compromise of trust in client certificate-based authentication systems.

Recommendations:
• Immediately upgrade Apache Tomcat to the latest fixed versions.
• Validate EncryptInterceptor configuration and encryption implementations.
• Monitor for abnormal authentication patterns and OCSP validation failures.
• Enforce strict certificate validation policies and review TLS configurations.
• Conduct security testing for encryption and authentication bypass scenarios.

Reference:
• https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w
• https://lists.apache.org/thread/9510k5p5zdvt9pkkgtyp85mvwxo2qrly
• https://lists.apache.org/thread/7rcl4zdxryc8hy3htyfyxkbqpxjtfdl2

17. Critical RCE Vulnerability in Krayin CRM

Technical Details / Key Points:
• A critical remote code execution vulnerability has been identified in Krayin CRM, an open-source CRM platform built on Laravel and Vue.js.
• CVE-2026-38526 (CVSS 9.9) allows authenticated attackers to execute arbitrary code on the server.
• The issue exists in the /admin/tinymce/upload endpoint where file uploads are not properly validated.
• The application fails to enforce MIME type and file extension restrictions and stores uploaded files in a web-accessible directory.
• Attackers can upload malicious PHP files and execute them via direct web requests, leading to full system compromise.
• Affected versions include Krayin CRM 2.2.x.

Impact:
• Attackers with authenticated access can achieve remote code execution on the server.
• Full system compromise may occur, including database access and application takeover.
• Malicious file uploads can lead to persistent backdoors and lateral movement.
• Exposure of CRM data including customer and business information.

Recommendations:
• Enforce strict file upload validation (MIME type and extension allowlisting).
• Store uploaded files outside the web root (e.g., /storage/).
• Disable script execution in upload directories via server configuration.
• Restrict upload functionality to trusted and privileged users only.
• Rename uploaded files using secure random identifiers (UUIDs).
• Deploy a Web Application Firewall (WAF) to detect malicious upload attempts.
• Monitor logs for suspicious file uploads and execution activity.
• Apply vendor patches immediately once available.

Reference:
• https://nvd.nist.gov/vuln/detail/CVE-2026-38526

18. Critical Vulnerability in Everest Forms WordPress Plugin

Technical Details / Key Points:
• A critical vulnerability has been identified in the Everest Forms WordPress Plugin affecting over 100,000 websites.
• CVE-2026-3296 (CVSS 9.8) is a PHP Object Injection (unsafe deserialization) vulnerability.
• The flaw allows unauthenticated attackers to exploit public-facing forms to inject malicious PHP objects.
• Successful exploitation may lead to remote code execution (RCE), full website compromise, and persistent backdoor installation.
• Affected versions include Everest Forms plugin ≤ 3.4.3, with a fix available in v3.4.4.
• The vulnerability is actively exploitable due to exposure through public form endpoints requiring no authentication.

Impact:
• Attackers may achieve full compromise of WordPress websites without authentication.
• Potential for persistent backdoors and complete site takeover.
• Risk of data theft, defacement, and malicious content injection.
• Large-scale exposure due to widespread plugin usage increases likelihood of mass exploitation campaigns.

Recommendations:
• Immediately update Everest Forms plugin to version 3.4.4 or later.
• Disable or restrict public form endpoints where possible.
• Implement input validation and secure deserialization practices.
• Monitor web server logs for suspicious form submissions and payload patterns.
• Deploy Web Application Firewall (WAF) rules to block object injection attempts.
• Conduct security audit of all WordPress plugins and remove unused components.

Reference:
• https://www.tenable.com/cve/CVE-2026-3296