Weekly Threat Landscape Digest – Week 17

1. Security Updates for GitLab Community Edition and GitLab Enterprise Edition Addressing Multiple Vulnerabilities

Technical Details / Key Points:
• Multiple vulnerabilities have been identified in GitLab Community Edition (CE) and Enterprise Edition (EE), including Cross-Site Request Forgery (CSRF), Cross-Site Scripting (XSS), Denial-of-Service (DoS), and access control issues.
• CVE-2026-4922 – CSRF vulnerability in GraphQL API allowing unauthorized actions.
• CVE-2026-5816 – Improper path validation in Web IDE leading to potential unauthorized file access.
• CVE-2026-5262 – XSS vulnerability in Storybook component.
• CVE-2025-0186 – DoS vulnerability in discussions endpoint.
• CVE-2026-1660 – DoS vulnerability in Jira import.
• CVE-2025-6016 – DoS vulnerability in notes endpoint.
• CVE-2025-3922 – DoS vulnerability in GraphQL API.
• CVE-2026-6515 – Insufficient session expiration in virtual registry credentials.
• CVE-2026-5377 – Improper access control in issue description renderer.
• CVE-2026-3254 – Improper restriction in Mermaid sandbox.
• CVE-2025-9957 – Improper access control in project fork relationship API.
• The vulnerabilities are resolved in GitLab CE/EE versions 18.11.1, 18.10.4, and 18.9.6.

Impact:
• Attackers may perform unauthorized actions via CSRF attacks.
• XSS vulnerabilities may lead to malicious script execution and session hijacking.
• DoS vulnerabilities can disrupt service availability.
• Access control issues may expose sensitive project data and internal resources.
• Exploitation may compromise source code integrity and development pipelines.

Recommendations:
• Immediately upgrade GitLab CE/EE instances to 18.11.1, 18.10.4, 18.9.6, or later versions.
• Enforce strong input validation and output encoding to mitigate XSS risks.
• Implement CSRF protections and secure API usage practices.
• Apply rate limiting and monitoring to mitigate DoS attacks.
• Review and enforce proper access control and session management policies.
• Monitor logs for suspicious API activity and unauthorized access attempts.

Reference:
• https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-11-1-released/

2. Actively Exploited Vulnerabilities in Cisco Catalyst SD-WAN Manager

Technical Details / Key Points:
• Multiple high-severity vulnerabilities have been identified in Cisco Catalyst SD-WAN Manager and are actively exploited in the wild.
• CVE-2026-20122 – Arbitrary File Overwrite vulnerability allowing an authenticated attacker with read-only access to upload malicious files and overwrite system files, leading to privilege escalation.
• CVE-2026-20128 – Information Disclosure vulnerability enabling unauthenticated attackers to retrieve sensitive Data Collection Agent (DCA) credential files.
• CVE-2026-20133 – Information Disclosure due to insufficient file system restrictions, exposing sensitive system-level data via APIs.
• These vulnerabilities affect multiple versions of Cisco Catalyst SD-WAN Manager prior to patched releases.
• Fixed versions vary by release track, including 20.9.8.2, 20.12.6.1, 20.12.5.3, 20.15.4.2, and 20.18.2.1.

Impact:
• Attackers may achieve privilege escalation and full system compromise.
• Arbitrary file overwrite can allow execution of malicious code and persistence.
• Information disclosure vulnerabilities may expose sensitive credentials and internal configurations.
• Compromised systems may be used for lateral movement and further network intrusion.
• Active exploitation significantly increases risk, especially for internet-facing deployments.

Recommendations:
• Immediately upgrade affected systems to the latest fixed versions as per Cisco guidance.
• Restrict access to SD-WAN Manager interfaces using trusted networks and IP allowlisting.
• Monitor logs for suspicious API activity, unauthorized access, and abnormal behavior.
• Disable unnecessary services such as HTTP/FTP and enforce secure protocols (SSL/TLS).
• Strengthen authentication by changing default credentials and implementing role-based access control (RBAC).
• Conduct threat hunting for indicators of compromise (IOCs) and assess potential exposure.

Reference:
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sasdwan-authbp-qwCX8D4v
• https://nvd.nist.gov/vuln/detail/CVE-2026-20133

3. Multiple Vulnerabilities in Cisco Products

Technical Details / Key Points:
• Multiple vulnerabilities have been identified across various Cisco products, including authentication bypass, Cross-Site Scripting (XSS), SQL injection, privilege escalation, and arbitrary file operations.
• CVE-2026-20152 – Authentication bypass in Cisco Secure Web Appliance allowing unauthenticated access due to improper validation.
• CVE-2026-20170 – XSS vulnerability in Cisco Webex Contact Center enabling script injection and potential session hijacking.
• CVE-2026-20059, CVE-2026-20060, CVE-2026-20061 – Multiple vulnerabilities in Cisco Unity Connection, including XSS, open redirect, and SQL injection.
• CVE-2026-20078, CVE-2026-20081 – Arbitrary file download vulnerabilities in Cisco Unity Connection exposing sensitive files.
• CVE-2026-20161 – Arbitrary file overwrite vulnerability in Cisco ThousandEyes Enterprise Agent.
• CVE-2026-20132 – Multiple XSS vulnerabilities in Cisco Identity Services Engine (ISE).
• CVE-2026-20136 – Privilege escalation vulnerability in Cisco Identity Services Engine allowing elevation from low-privileged accounts.
• These vulnerabilities impact multiple enterprise Cisco products; refer to official advisories for affected versions and patches.

Impact:
• Authentication bypass may allow unauthorized access to critical systems.
• XSS vulnerabilities can lead to session hijacking and data theft.
• SQL injection may result in database compromise and data manipulation.
• Arbitrary file download/overwrite may expose sensitive data or enable system compromise.
• Privilege escalation vulnerabilities allow attackers to gain elevated access and control systems.
• Combined exploitation could affect confidentiality, integrity, and availability of enterprise environments.

Recommendations:
• Apply the latest Cisco security patches and updates for all affected products.
• Restrict access to management interfaces using network segmentation and IP allowlisting.
• Implement strong input validation and output encoding to mitigate XSS and injection attacks.
• Enforce least privilege access and role-based access control (RBAC).
• Monitor logs for unauthorized access attempts, abnormal behavior, and exploitation indicators.
• Conduct vulnerability assessments and patch management to ensure timely remediation.

Reference:
• https://sec.cloudapps.cisco.com/security/center/publicationListing.x

4. Security Updates for Chrome OS Addressing Multiple Vulnerabilities

Technical Details / Key Points:
• Multiple vulnerabilities have been identified in Chrome OS, including memory corruption, use-after-free, and input validation issues that could lead to arbitrary code execution.
• CVE-2026-4679 – Integer overflow in Fonts leading to memory corruption.
• CVE-2026-4449 – Use-after-free vulnerability in Blink.
• CVE-2026-4674 – Out-of-bounds read in CSS.
• CVE-2026-4442 – Heap buffer overflow in CSS.
• CVE-2026-4451 – Insufficient validation of untrusted input in Navigation.
• CVE-2026-3922 – Use-after-free in MediaStream.
• CVE-2026-5280 – Use-after-free in WebCodecs.
• CVE-2026-4458 – Use-after-free in Extensions.
• CVE-2026-3923 – Use-after-free in WebMIDI.
• CVE-2026-4454 – Use-after-free in Network.
• CVE-2026-4675 – Heap buffer overflow in WebGL.
• CVE-2026-5291 – Inappropriate implementation in WebGL.
• CVE-2026-5292, CVE-2026-5282 – Out-of-bounds read in WebCodecs.
• CVE-2026-4462 – Out-of-bounds read in Blink.
• Additional vulnerabilities from 2025 CVE series have also been addressed.
• The vulnerabilities are fixed in ChromeOS LTS version 138.0.7204.310 (Platform Version: 16295.95.0) and later.

Impact:
• Exploitation may lead to memory corruption and arbitrary code execution.
• Attackers could gain unauthorized control over affected systems.
• Vulnerabilities may be leveraged for sandbox escape or browser compromise.
• Successful attacks could result in data theft, system compromise, or persistence.

Recommendations:
• Immediately update Chrome OS devices to version 138.0.7204.310 or later.
• Ensure automatic updates are enabled across all endpoints.
• Restrict access to untrusted websites and enforce secure browsing practices.
• Monitor endpoints for suspicious browser activity and exploitation attempts.
• Conduct regular patch management to ensure timely updates across all systems.

Reference:
• https://chromereleases.googleblog.com/2026/04/long-term-support-channel-updatefor_17.html

5. Multiple Vulnerabilities in Synology SSL VPN Client

Technical Details / Key Points:
• Multiple vulnerabilities have been identified in Synology SSL VPN Client that may allow remote attackers to access sensitive files and compromise VPN credentials.
• CVE-2021-47960 – Improper restriction of file access in the local HTTP service allows attackers to trick users into visiting a malicious webpage and access sensitive files such as configuration data, certificates, and logs.
• CVE-2021-47961 – Plaintext storage of VPN PIN code allows attackers to access or manipulate VPN credentials, potentially enabling unauthorized configuration changes.
• These vulnerabilities affect Synology SSL VPN Client versions prior to 1.4.5-0684.
• The issues are resolved in version 1.4.5-0684 and later.

Impact:
• Attackers may gain access to sensitive configuration files, certificates, and logs.
• Exposure of VPN PIN codes may lead to unauthorized VPN access and configuration manipulation.
• Potential for interception of VPN traffic and compromise of secure communications.
• Combined exploitation could result in data exposure and network compromise.

Recommendations:
• Immediately upgrade Synology SSL VPN Client to version 1.4.5-0684 or later.
• Avoid accessing untrusted or malicious websites while using VPN clients.
• Secure local systems by restricting access to sensitive files and directories.
• Enforce strong authentication and protect VPN credentials.
• Monitor systems for suspicious activity related to unauthorized file access or VPN misuse.

Reference:
• https://www.synology.com/en-global/security/advisory/Synology_SA_26_05

6. Multiple Vulnerabilities in Progress Kemp LoadMaster

Technical Details / Key Points:
• Multiple high and critical vulnerabilities have been identified in Progress Kemp LoadMaster that may allow command execution and WAF bypass.
• CVE-2026-3517, CVE-2026-3518, CVE-2026-3519 – OS command injection vulnerabilities in the LoadMaster API allowing authenticated attackers to execute arbitrary system commands due to improper input sanitization.
• CVE-2026-4048 – Command injection vulnerability in the LoadMaster UI via malicious input in custom WAF rule file uploads.
• CVE-2026-21876 – Critical WAF bypass vulnerability caused by improper validation of multipart content-type headers, allowing attackers to bypass protections and deliver malicious payloads.
• Affected products include:

• Progress Kemp LoadMaster (GA v7.2.62.2 and earlier, LTSF v7.2.54.16 and earlier)
• Progress ECS Connection Manager v7.2.62.2 and earlier
• Progress Connection Manager for ObjectScale v7.2.62.2 and earlier
  • Fixed versions include:
• LoadMaster GA → v7.2.63.1
• LoadMaster LTSF → v7.2.54.17
• ECS Connection Manager → v7.2.63.1
• Connection Manager for ObjectScale → v7.2.63.1

Impact:
• Attackers may achieve remote command execution on affected systems.
• Compromise of appliance integrity and backend infrastructure.
• WAF bypass may allow delivery of malicious payloads undetected.
• Increased risk of lateral movement and full environment compromise.

Recommendations:
• Immediately upgrade all affected systems to the latest fixed versions.
• Restrict access to management interfaces using network segmentation and IP allowlisting.
• Validate and sanitize all inputs to prevent command injection attacks.
• Monitor logs for suspicious API calls, file uploads, and abnormal activity.
• Implement additional security controls to detect WAF bypass attempts and malicious payload delivery.
• Conduct a security assessment to identify any signs of compromise.

Reference:
• https://community.progress.com/s/article/LoadMaster-Security-Vulnerabilites-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876

7. Actively Exploited Vulnerability in Microsoft Defender Antimalware Platform

Technical Details / Key Points:
• A high-severity Elevation of Privilege (EoP) vulnerability is identified in Microsoft Defender Antimalware Platform and is actively exploited in the wild.
• CVE-2026-33825 – EoP vulnerability caused by insufficient granularity of access control (CWE-1220).
• The vulnerability allows a low-privileged local attacker to escalate privileges to SYSTEM level.
• Attack characteristics:

• Attack Vector: Local
• Privileges Required: Low
• User Interaction: None
• Attack Complexity: Low
  • Affected versions include Microsoft Defender Antimalware Platform prior to 4.18.26030.3011.
  • The vulnerability is fixed in version 4.18.26030.3011 and later.

Impact:
• Attackers may achieve privilege escalation to SYSTEM level, gaining full control over affected systems.
• Can be leveraged post-compromise for lateral movement and persistence.
• May lead to complete system compromise and security control bypass.
• Active exploitation increases risk, especially in enterprise environments.

Recommendations:
• Immediately update Microsoft Defender to version 4.18.26030.3011 or later.
• Verify that updates are successfully deployed across all endpoints.
• Monitor systems for suspicious privilege escalation activities.
• Implement endpoint detection and response (EDR) to detect abnormal behavior.
• Conduct threat hunting for indicators of compromise (IOCs) related to this vulnerability.

Reference:
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33825

8. High-Severity Vulnerability in ManageEngine Log360

Technical Details / Key Points:
• A high-severity authentication bypass vulnerability has been identified in ManageEngine Log360.
• CVE-2026-3324 – Improper authorization checks in exposed V1 APIs allow attackers to bypass authentication mechanisms.
• The vulnerability may allow unauthorized access to system data and restricted functionality.
• Affected versions include ManageEngine Log360 builds 13000 to 13013.
• The issue is resolved in build 13017 or later.

Impact:
• Attackers may bypass authentication and gain unauthorized access to sensitive system data.
• Exposure of restricted APIs may allow manipulation of system functionality.
• Potential compromise of log management and security monitoring data integrity.
• Could be leveraged for further exploitation within enterprise environments.

Recommendations:
• Immediately upgrade ManageEngine Log360 to build 13017 or later.
• Restrict access to exposed APIs using network segmentation and authentication controls.
• Implement strict API authorization and validation mechanisms.
• Monitor logs for unauthorized API access or suspicious authentication attempts.
• Apply vendor-recommended mitigations or workarounds.

Reference:
• https://www.manageengine.com/log-management/advisory/CVE-2026-3324.html

9. Security Updates for Apple iOS and iPadOS Addressing Notification Services Vulnerability

Technical Details / Key Points:
• Apple has released security updates for iOS and iPadOS addressing a vulnerability in the Notification Services component.
• CVE-2026-28950 – Notification Services logging issue where deleted notifications may be retained on the device due to improper handling of data redaction.
• The vulnerability may result in unintended retention of sensitive notification data.
• The issue affects multiple Apple devices running iOS and iPadOS prior to the fixed versions.
• Fixed versions include iOS 26.4.2 / iPadOS 26.4.2 and iOS 18.7.8 / iPadOS 18.7.8, depending on device compatibility.

Impact:
• Sensitive information from deleted notifications may remain accessible on affected devices.
• Potential exposure of personal or confidential user data.
• Could lead to privacy compromise and information leakage.
• Risk increases in devices used for corporate communication or sensitive workflows.

Recommendations:
• Immediately update all Apple devices to the latest supported iOS/iPadOS versions.
• Ensure automatic updates are enabled across enterprise-managed devices.
• Regularly verify patch compliance for mobile endpoints.
• Enforce mobile device management (MDM) policies for security enforcement.
• Monitor for potential data exposure in enterprise environments.

Reference:
• https://support.apple.com/en-ae/127002
• https://support.apple.com/en-ae/127003

10. Critical Path Traversal Vulnerability in CrowdStrike LogScale

Technical Details / Key Points:
• A critical unauthenticated path traversal vulnerability (CVE-2026-40050) has been identified in CrowdStrike LogScale self-hosted deployments.
• The flaw allows remote attackers to access sensitive files on the underlying server due to improper path validation.
• CVSS v3.1 score: 9.8 (Critical) indicating severe exploitation risk.
• Affected versions include:

• LogScale Self-Hosted (GA): versions 1.224.0 to 1.234.0
• LogScale Self-Hosted (LTS): versions 1.228.0 and 1.228.1
  • SaaS and Next-Gen SIEM deployments are not affected.
  • Fixed versions include:
• 1.235.1 or later
• 1.234.1 or later
• 1.233.1 or later
• 1.228.2 (LTS) or later

Impact:
• Attackers may access sensitive system files via path traversal exploitation.
• Potential exposure of configuration files, credentials, and internal logs.
• Could lead to full system compromise in self-hosted environments.
• Increased risk for environments with exposed or misconfigured LogScale instances.

Recommendations:
• Immediately upgrade CrowdStrike LogScale to the latest patched version.
• Restrict access to LogScale instances using network segmentation and IP allowlisting.
• Monitor for suspicious file access patterns and traversal attempts.
• Ensure proper configuration of access controls and hardening of self-hosted deployments.
• Regularly audit system logs for indicators of compromise (IOCs).

Reference:
• https://www.crowdstrike.com/en-us/security-advisories/cve-2026-40050/

11. Critical Remote Code Execution Vulnerability in protobuf.js

Technical Details / Key Points:
• A critical Remote Code Execution (RCE) vulnerability has been identified in protobuf.js, a widely used JavaScript implementation of Google Protocol Buffers.
• CVSS v3.1 score: 9.4 (Critical).
• The vulnerability allows attackers to inject and execute arbitrary JavaScript code during parsing of malicious protobuf definitions.
• Exploitation occurs when applications process untrusted .proto or JSON descriptor files.
• Attack mechanism:

• Attacker crafts malicious protobuf schema
• Injects JavaScript payload into type definitions
• When Type.decode() or similar functions are executed, payload runs in application runtime
  • Affected versions:
• 8.x → ≤ 8.0.0
• 7.x → ≤ 7.5.4
  • Fixed versions:
• 8.0.1
• 7.5.5

Impact:
• Attackers may achieve remote code execution within application runtime.
• Full compromise of Node.js or browser-based applications using vulnerable library versions.
• Risk of data theft, system takeover, and malicious payload execution.
• High risk in environments that support dynamic or externally loaded schema definitions.

Recommendations:
• Immediately upgrade protobuf.js to versions 8.0.1 or 7.5.5 or later.
• Avoid processing untrusted or externally supplied .proto/JSON schema files.
• Implement strict validation of schema inputs before decoding.
• Restrict runtime loading of dynamic protobuf definitions.
• Monitor applications for unexpected execution behavior or payload injection attempts.
• Perform dependency audits across all Node.js and frontend applications.

Reference:
• https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg

12. Oracle April 2026 Critical Patch Update for Oracle Addressing Multiple Vulnerabilities

Technical Details / Key Points:
• Oracle released its April 2026 Critical Patch Update (CPU) addressing 481 vulnerabilities across 28 product families.
• A large portion of vulnerabilities are classified as high to critical severity, with many enabling remote code execution (RCE) and unauthenticated network exploitation.
• Total breakdown:

• 481 total vulnerabilities patched
• 376 third-party CVEs (~78%)
• Major impact across Oracle Communications, Financial Services, Fusion Middleware, E-Business Suite, and Database ecosystem

Key Impacted Products & Critical Issues:

• Oracle Communications (139 vulnerabilities)

• Multiple unauthenticated RCE vulnerabilities (e.g., CVE-2025-6965, CVE-2026-25968, CVE-2025-55130)
• CVSS up to 9.8
• Impact: Full system compromise without credentials

• Oracle Financial Services Applications (75 vulnerabilities)

• CVE-2023-34034, CVE-2023-44981
• Impact: RCE and compromise of financial data integrity and transaction systems

• Oracle Fusion Middleware (59 vulnerabilities)

• Critical CVEs including CVE-2026-34285, CVE-2026-34286, CVE-2022-45047
• Many unauthenticated exploits enabling enterprise-wide compromise

• Oracle MySQL (34 vulnerabilities)

• CVE-2025-15467 affecting MySQL Enterprise Backup
• Impact: RCE and backup system compromise leading to data exposure

• Oracle E-Business Suite (18 vulnerabilities)

• CVE-2026-34275 (CVSS 9.8)
• Impact: RCE in ERP systems and potential exposure of sensitive business data

• Oracle Database Ecosystem (27 updates)

• Includes Database Server, GoldenGate, REST Data Services, and more
• CVSS up to 7.5 with potential service and data risks

Impact:
• Widespread remote code execution across enterprise Oracle systems.
• Potential full system compromise without authentication.
• Risk to financial systems, ERP platforms, and critical business data integrity.
• Exposure of sensitive enterprise and database environments.
• High risk of exploitation in internet-facing Oracle deployments.

Recommendations:
• Immediately apply Oracle April 2026 CPU patches across all affected systems.
• Prioritize remediation for:

• Internet-facing Oracle services
• Oracle Communications and Middleware platforms
• Financial and ERP systems
  • Conduct urgent vulnerability assessments across Oracle infrastructure.
  • Restrict exposure of Oracle services to trusted networks only.
  • Monitor for signs of unauthorized access and exploitation attempts.
  • Ensure continuous patch management for Oracle environments.

Reference:
• https://www.oracle.com/security-alerts/cpuapr2026.html

13. Critical XSS Vulnerability in Drupal Core

Technical Details / Key Points:
• A critical Cross-Site Scripting (XSS) vulnerability has been identified in Drupal Core due to improper sanitization in AJAX modal dialog functionality.
• CVE-2026-6365 – XSS vulnerability in Drupal’s jQuery integration for AJAX modal dialogs where options are not properly sanitized.
• The flaw allows injection of malicious JavaScript that executes in the context of an authenticated user session.
• Affected versions:

• Drupal versions ≥ 8.0.0 and < 10.5.9
• ≥ 10.6.0 and < 10.6.7
• ≥ 11.0.0 and < 11.2.11
• ≥ 11.3.0 and < 11.3.7
  • End-of-life versions (Drupal 8, 9, and older 10.x/11.x branches) are no longer supported.
  • Fixed versions include:
• Drupal 10.5.9
• Drupal 10.6.7
• Drupal 11.2.11
• Drupal 11.3.7

Impact:
• Attackers may execute malicious scripts in user browsers via XSS exploitation.
• Potential for session hijacking and unauthorized access to user accounts.
• Risk of data exposure and manipulation of authenticated sessions.
• Could be leveraged for further compromise of CMS environments and connected services.

Recommendations:
• Immediately update Drupal Core to the latest fixed versions.
• Avoid running unsupported (end-of-life) Drupal versions.
• Implement strict input validation and output encoding for all user-generated content.
• Review and secure AJAX modal dialog implementations.
• Monitor web application logs for suspicious script injection attempts.
• Conduct regular security audits of CMS deployments.

Reference:
• https://www.drupal.org/sa-core-2026-001

14. Actively Exploited Vulnerability in Apache ActiveMQ

Technical Details / Key Points:
• A vulnerability in Apache ActiveMQ (CVE-2026-34197) has been added to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild.
• The flaw enables authenticated Remote Code Execution (RCE) due to improper input validation and unsafe handling of broker configuration parameters.
• The vulnerability exists in the Jolokia JMX-HTTP bridge (/api/jolokia/).
• Root cause includes overly permissive Jolokia access policies allowing execution operations on ActiveMQ MBeans.
• Exploitable methods include:

• BrokerService.addNetworkConnector(String)
• BrokerService.addConnector(String)
  • Affected versions:
• Apache ActiveMQ Broker before 5.19.4
• Versions 6.0.0 to 6.2.2
  • Fixed versions:
• 5.19.4 or later
• 6.2.3 or later

Impact:
• Attackers may achieve remote code execution on ActiveMQ brokers.
• Potential full compromise of messaging infrastructure.
• Risk of manipulation of message flows and broker configurations.
• Could be used for lateral movement within enterprise environments.
• Active exploitation significantly increases risk for exposed brokers.

Recommendations:
• Immediately upgrade Apache ActiveMQ to 5.19.4, 6.2.3, or later versions.
• Restrict access to the /api/jolokia/ endpoint and disable if not required.
• Enforce strict authentication and authorization for JMX operations.
• Apply network segmentation to isolate messaging infrastructure.
• Monitor for suspicious JMX activity and unauthorized connector changes.
• Conduct threat hunting for indicators of exploitation.

Reference:
• https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt

15. Security Updates for Mozilla Firefox, Firefox ESR, and Thunderbird Addressing Multiple Vulnerabilities

Technical Details / Key Points:
• Mozilla has released security updates addressing multiple vulnerabilities across Firefox, Firefox ESR, and Thunderbird.
• Several high-severity vulnerabilities affect core browser components including DOM, WebRTC, Graphics, JavaScript engine, and Web Codecs.

• CVE-2026-6746 – Use-after-free in DOM (Core & HTML).
  • CVE-2026-6747 – Use-after-free in WebRTC component.
  • CVE-2026-6748 – Uninitialized memory in Audio/Video Web Codecs.
  • CVE-2026-6749 – Information disclosure due to uninitialized memory in Canvas2D graphics.
  • CVE-2026-6750 – Privilege escalation in WebRender graphics component.
  • CVE-2026-6751 – Uninitialized memory in Web Codecs.
  • CVE-2026-6752, CVE-2026-6753 – Incorrect boundary conditions in WebRTC.
  • CVE-2026-6754 – Use-after-free in JavaScript engine.
  • CVE-2026-6784, CVE-2026-6785, CVE-2026-6786 – Memory safety vulnerabilities affecting Firefox and Thunderbird releases.
• These vulnerabilities may lead to memory corruption, information disclosure, privilege escalation, and arbitrary code execution.
• Fixed versions:

• Firefox 150
• Firefox ESR 115.35
• Firefox ESR 140.10
• Thunderbird 150
• Thunderbird 140.10

Impact:
• Attackers may exploit memory corruption vulnerabilities to achieve arbitrary code execution.
• Potential privilege escalation within browser and system contexts.
• Information disclosure vulnerabilities may expose sensitive user or system data.
• WebRTC and JavaScript engine flaws could enable remote exploitation via malicious web content.
• Increased risk for users visiting compromised or malicious websites.

Recommendations:
• Immediately update Firefox, Firefox ESR, and Thunderbird to the latest fixed versions.
• Ensure automatic updates are enabled for all Mozilla products.
• Avoid visiting untrusted websites or executing unknown web content.
• Monitor systems for abnormal browser behavior or exploitation attempts.
• Conduct routine patch management for all endpoint applications.

Reference:
• https://www.mozilla.org/en-US/security/advisories/mfsa2026-30/
• https://www.mozilla.org/en-US/security/advisories/mfsa2026-31/
• https://www.mozilla.org/en-US/security/advisories/mfsa2026-32/
• https://www.mozilla.org/en-US/security/advisories/mfsa2026-33/
• https://www.mozilla.org/en-US/security/advisories/mfsa2026-34/

16. Critical Privilege Escalation Vulnerability in ASP.NET Core

Technical Details / Key Points:
• Microsoft has released out-of-band updates addressing a critical vulnerability in ASP.NET Core (CVE-2026-40372).
• The flaw has a CVSS score of 9.1 (Critical) and affects the Data Protection component.
• CVE-2026-40372 – Improper cryptographic signature validation allowing remote privilege escalation to SYSTEM level.
• Affected component: Microsoft.AspNetCore.DataProtection (versions 10.0.0 – 10.0.6).
• Fixed version: 10.0.7.
• Exploitation enables attackers to forge authentication tokens and bypass security controls.
• Even after patching, previously issued tokens may remain valid unless properly revoked.

Impact:
• Attackers may achieve SYSTEM-level privilege escalation on affected applications.
• Potential authentication bypass via forged cryptographic tokens.
• Risk of sensitive data exposure and persistent unauthorized access.
• Compromised systems may remain vulnerable if cryptographic keys are not rotated.
• High risk for web applications relying on ASP.NET Core authentication mechanisms.

Recommendations:
• Immediately update ASP.NET Core Data Protection package to version 10.0.7 or later.
• Rotate the Data Protection Key Ring after patching.
• Invalidate all previously issued authentication and session tokens.
• Monitor applications for suspicious authentication or token usage patterns.
• Conduct security review of all systems using ASP.NET Core Data Protection.
• Ensure proper key management and cryptographic validation practices.

Reference:
• https://nvd.nist.gov/vuln/detail/CVE-2026-40372

17. Security Updates for Atlassian Products Addressing Multiple Vulnerabilities

Technical Details / Key Points:
• Atlassian has released April 2026 security updates addressing multiple vulnerabilities across Bamboo, Bitbucket, Confluence, Jira Software, and Jira Service Management (Data Center and Server).
• Vulnerabilities include Remote Code Execution (RCE), OS command injection, path traversal, HTTP request smuggling, XSS, information disclosure, and denial-of-service (DoS) issues.
• Many vulnerabilities originate from vulnerable third-party dependencies.

Critical-Severity Vulnerabilities:
• CVE-2026-21571 – OS command injection in Bamboo Data Center allowing RCE.
• CVE-2022-1471 – SnakeYAML RCE affecting Confluence, Jira Software, and JSM.
• CVE-2024-47875 – DOM-based XSS (mXSS) in Jira Software / JSM.
• CVE-2026-25547 – DoS in brace-expansion component.
• CVE-2021-31597 – MITM vulnerability in XMLHttpRequest (JSM).

High-Severity Vulnerabilities:
• Bamboo: Netty DoS (CVE-2026-33871), Tomcat information disclosure (CVE-2026-34487), HTTP request smuggling (CVE-2026-24880, CVE-2026-33870), MITM in Tomcat Coyote (CVE-2026-24734), Axios DoS (CVE-2026-25639), DOMPurify XSS (CVE-2024-45801).
• Bitbucket: DoS via ua-parser-js (CVE-2022-25927).
• Confluence: Path traversal via node-tar (CVE-2026-23950, CVE-2026-24842, CVE-2026-31802, CVE-2026-26960), file inclusion issues, injection vulnerabilities, XSS, DoS, and HTTP request smuggling issues.
• Jira Software: Authorization flaw in commons-beanutils (CVE-2025-48734), MITM via OkHttp (CVE-2021-0341), DoS via json-smart and okio.
• Jira Service Management: Similar authorization, DoS, and MITM vulnerabilities affecting shared dependencies.

Fixed Versions:
• Bamboo: 12.1.6 (LTS), 10.2.18 (LTS)
• Bitbucket: 10.2.0–10.2.2 (LTS), 9.4.18–9.4.19 (LTS)
• Confluence: 10.2.10 (LTS), 9.2.19 (LTS)
• Jira Software: 11.3.4 (LTS), 10.3.19 (LTS)
• Jira Service Management: 11.3.4 (LTS), 10.3.19 (LTS)

Impact:
• Attackers may achieve remote code execution on Atlassian enterprise systems.
• Exploitation may lead to data leakage, unauthorized access, and system compromise.
• HTTP request smuggling and path traversal can enable bypass of security controls and backend access.
• DoS vulnerabilities may cause service disruption across enterprise DevOps environments.
• Compromised Atlassian tools can impact CI/CD pipelines and enterprise workflows.

Recommendations:
• Immediately upgrade all affected Atlassian products to the latest fixed versions.
• Prioritize patching of internet-facing Confluence, Jira, and Bitbucket instances.
• Review and secure third-party dependencies used in Atlassian deployments.
• Monitor logs for suspicious HTTP requests, injection attempts, and abnormal API behavior.
• Enforce strict access controls and segmentation for Atlassian services.
• Conduct vulnerability assessment across DevOps and collaboration platforms.

Reference:
• https://confluence.atlassian.com/security/security-bulletin-april-21-2026-1770913890.html

18. Critical Command Injection Vulnerability in ASUSTOR Data Master (ADM)

Technical Details / Key Points:
• A critical command injection vulnerability (CVE-2026-6644) has been identified in ASUSTOR ADM, specifically in the PPTP VPN client component.
• CVSS v3.1 score: 9.4 (Critical).
• The vulnerability allows attackers with administrative access to execute arbitrary system commands due to improper input validation and lack of sanitization before shell execution.
• Affected component: PPTP VPN client in ADM web management interface.
• Affected versions:

• ADM 5.0 (affected) → fixed in 5.1.3.RGL1 and later
• ADM 4.3 / 4.2 / 4.1 → partially patched / fixes in progress
  • Exploitation flow:
• Requires authenticated admin access
• Malicious VPN configuration input is injected
• Input is executed at system shell level leading to command execution

Impact:
• Attackers may achieve remote code execution (RCE) on NAS devices.
• Full compromise of NAS systems including file read/write/delete operations.
• Potential deployment of ransomware, backdoors, or persistence mechanisms.
• Privilege escalation beyond intended administrative controls.
• Risk to enterprise storage environments and SMB NAS deployments.

Recommendations:
• Immediately upgrade ASUSTOR ADM to 5.1.3.RGL1 or later for ADM 5.0 systems.
• Disable PPTP VPN client if not required for operations.
• Restrict administrative interface access to trusted IP ranges only.
• Enforce strong authentication and secure configuration practices for NAS devices.
• Monitor NAS logs for unexpected command execution or configuration changes.
• Conduct security audits on exposed NAS infrastructure.

Reference:
• https://nvd.nist.gov/vuln/detail/CVE-2026-6644

19. Actively Exploited XSS Vulnerability in Zimbra Collaboration Suite

Technical Details / Key Points:
• A Cross-Site Scripting (XSS) vulnerability in the Classic Web UI of Zimbra Collaboration Suite (CVE-2025-48700) is actively exploited in the wild.
• The flaw allows remote attackers to execute arbitrary JavaScript in a victim’s browser session via crafted email content.
• Attack vector: Remote (email-based).
• User interaction: Required only to open/view the malicious email.
• Exploit maturity: Actively exploited.

• Successful exploitation may lead to:

• Session hijacking
• Unauthorized mailbox access
• Data exfiltration
• Lateral movement within enterprise environments

• Fixed versions:

• 8.8.15 Patch 47
• 9.0.0 Patch 43
• 10.0.12
• 10.1.4

Impact:
• Attackers may execute malicious scripts in user browser sessions.
• Potential compromise of email accounts and sensitive communications.
• Risk of credential theft and session takeover.
• Could be used for enterprise lateral movement and targeted phishing campaigns.
• High risk due to low complexity and active exploitation.

Recommendations:
• Immediately upgrade Zimbra Collaboration Suite to the latest patched versions.
• Educate users to be cautious when opening unexpected or suspicious emails.
• Implement email filtering and anti-XSS protections at gateway level.
• Enforce secure session management and MFA for email access.
• Monitor logs for abnormal mailbox activity or session anomalies.
• Conduct threat hunting for indicators of compromise.

Reference:
• https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

20. AI-Powered Voice Phishing Platform “ATHR” Automating Vishing Attacks

Technical Details / Key Points:
• A new cybercrime platform named ATHR has been identified, automating voice phishing (vishing) attacks using a combination of AI agents and human operators.
• The platform is part of a broader Telephone-Oriented Attack Delivery (TOAD) ecosystem that streamlines social engineering at scale.
• Cost of access: approximately $4,000 + 10% commission on successful operations.

• Attack chain:

• Victims receive deceptive emails impersonating security alerts or account notifications. 
• Emails bypass authentication checks and prompt victims to call a provided number. 
• Calls are routed to AI voice agents or human operators. 
• AI agents simulate legitimate support workflows (e.g., Google, Microsoft, Coinbase account recovery). 
• Victims are manipulated into sharing 6-digit MFA/verification codes. 

• Platform capabilities:

• Supports at least 8 online services 
• Operator dashboard for managing email campaigns 
• Real-time monitoring of call outcomes and victim interactions 
• AI prompts tailored for realistic social engineering conversations 

Impact:
• Increased success rate of social engineering and MFA bypass attacks.
• Compromise of user accounts through stolen verification codes.
• Potential access to email, cloud, and cryptocurrency accounts.
• Scaling of phishing operations with reduced attacker effort via automation.
• Higher risk of targeted enterprise credential theft and account takeover.

Recommendations:
• Implement strong MFA resistant to voice/social engineering (FIDO2 security keys preferred).
• Educate users that legitimate support teams will never request verification codes over phone.
• Block or monitor unverified outbound call instructions in emails.
• Deploy email security solutions with phishing and impersonation detection.
• Establish internal policy prohibiting sharing of OTPs or recovery codes via phone/email.
• Monitor for TOAD-style phishing campaigns and unusual callback-based scams.
• Conduct regular security awareness training focused on AI-driven social engineering threats.

Reference:
• https://www.scworld.com/brief/athr-platform-automates-voice-phishing-attacks-with-ai