Weekly Threat Landscape Digest – Week 18

1. Multiple Vulnerabilities in Foxit PDF Reader and Foxit PDF Editor

Technical Details / Key Points:
• Multiple vulnerabilities identified in Foxit PDF Reader and Editor that may lead to Denial-of-Service (DoS), information disclosure, and potential remote code execution (RCE).
• CVE-2026-5937 – Uncaught Exception (CWE-248) | CVSS 5.5
→ Improper parameter validation may cause application crashes during directory import.
• CVE-2026-5938 – Insufficient Control Flow Management (CWE-691) | CVSS 5.5
→ Crafted document actions can trigger modal dialog reentry leading to crashes/freezes.
• CVE-2026-5939 – Use-After-Free (CWE-416) | CVSS 5.5
→ Improper handling of XFA/annotations/signatures may cause crashes or data exposure.
• CVE-2026-5940 – Use-After-Free (CWE-416) | CVSS 7.8
→ Memory corruption vulnerability allowing potential arbitrary code execution.
• CVE-2026-5942 – Use-After-Free (CWE-416) | CVSS 5.5
→ Improper object lifecycle handling leading to DoS.
• CVE-2026-5943 – Use-After-Free (CWE-416) | CVSS 7.8
→ Memory corruption with potential for code execution.

• Affected Versions:

• Foxit PDF Reader (Windows): 2026.1.0.36452 and earlier
• Foxit PDF Editor (Windows): Multiple versions across 2023–2026 (including 13.x, 14.x, 2023.x, 2024.x, 2025.x, 2026.x)

• Patched Versions:

• Foxit PDF Reader: 2026.1.1
• Foxit PDF Editor: 2026.1.1 / 14.0.4 / 13.2.4

Impact:
• Application crashes and service disruption (DoS)
• Potential information disclosure through memory handling flaws
• High risk of remote code execution (RCE) via crafted PDF files
• Increased likelihood of exploitation through phishing or malicious attachments

Recommendations:
• Immediately update Foxit products to the latest patched versions
• Avoid opening PDF files from untrusted or unknown sources
• Implement email and web filtering to block malicious attachments
• Monitor endpoint activity for abnormal PDF execution or crashes
• Deploy EDR/SIEM rules to detect suspicious Foxit-related behavior

Reference:
• https://www.foxit.com/support/security-bulletins.html

2. Critical Vulnerability in Notepad++

Technical Details / Key Points:
• A critical vulnerability has been identified in Notepad++ that may lead to application crashes and sensitive memory disclosure via malicious localization files
• CVE-2026-3008 – Format String Injection in nativeLang.xml parsing
• Severity: Critical | CVSS v4: 10
• The issue arises due to improper handling of the find-result-hits parameter within the nativeLang.xml file
• When users perform search operations such as “Find ALL in Current Document,” specially crafted format string payloads can be processed without proper validation
• Exploitation may result in application instability, crashes (DoS), and exposure of sensitive memory data

Affected Version:
• Notepad++ 8.9.3

Patched Version:
• Notepad++ 8.9.4 or later

Impact:
• Application crashes leading to Denial-of-Service (DoS)
• Exposure of sensitive memory contents
• Potential leakage of internal application data
• Increased risk of further exploitation due to memory disclosure

Recommendations:
• Immediately update Notepad++ to version 8.9.4 or later
• Avoid using untrusted or modified localization (nativeLang.xml) files
• Restrict write access to application configuration directories
• Monitor systems for abnormal Notepad++ behavior or crashes
• Apply endpoint protection to detect suspicious file manipulation

Reference:
• https://www.tenable.com/cve/CVE-2026-3008

3. Critical RCE Vulnerabilities in Apache MINA

Technical Details / Key Points:
• Two critical vulnerabilities identified in Apache MINA enabling Remote Code Execution (RCE) via unsafe deserialization
• Both vulnerabilities carry CVSS score: 9.8 (Critical)

• CVE-2026-41635 – Allowlist Bypass in Deserialization
  • Type: Improper Input Validation / Logic Flaw
  • In AbstractIoBuffer.resolveClass(), certain execution paths do not enforce classname allowlist checks
  • Attackers can craft serialized payloads to bypass validation and execute arbitrary classes
  • Attack Vector: Remote (potentially unauthenticated)
• CVE-2026-41409 – Delayed Allowlist Enforcement
  • Type: Unsafe Deserialization / Improper Initialization Order
  • Allowlist validation occurs after class loading
  • Java executes static initializers before validation, allowing malicious code execution
  • Represents incomplete fix of previous vulnerability (CVE-2024-52046)
  • Attack Vector: Remote via crafted serialized objects

Affected Versions:
• 2.2.x: 2.2.0 → 2.2.5
• 2.1.x: 2.1.0 → 2.1.10
• 2.0.x: 2.0.0 → 2.0.27

Patched Versions:
• 2.0.28
• 2.1.11
• 2.2.6

Impact:
• Remote Code Execution (RCE) without proper validation
• Full system compromise depending on application privileges
• Exploitation through unauthenticated network access (in exposed services)
• High risk for applications relying on serialized object processing

Recommendations:
• Immediately upgrade Apache MINA to patched versions (2.0.28 / 2.1.11 / 2.2.6)
• Avoid unsafe deserialization of untrusted data
• Implement strict allowlist validation before class loading
• Restrict network exposure of services using Apache MINA
• Monitor for suspicious serialized payloads and abnormal application behavior

Reference:
• https://nvd.nist.gov/vuln/detail/CVE-2026-41635
• https://nvd.nist.gov/vuln/detail/CVE-2026-41409

4. Active Exploitation of Windows Shell Spoofing Vulnerability

Technical Details / Key Points:
• A Windows Shell vulnerability is being actively exploited in the wild, increasing operational risk despite a lower CVSS score
• CVE-2026-32202 – Protection Mechanism Failure (CWE-693) enabling spoofing attacks
• Severity: Important | CVSS 4.3
• Vendor: Microsoft
• The vulnerability allows attackers to present spoofed content via Windows Shell
• Exploitation requires user interaction (execution of a malicious file)
• Linked to an incomplete patch of CVE-2026-21510, enabling bypass conditions

Attack Characteristics:
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: Required
• Scope: Unchanged

Exploit Insights:
• Exploitation involves delivering a crafted malicious file to the victim
• Upon execution, spoofed content is displayed via Windows Shell
• May lead to limited sensitive information disclosure
• Exploit Code Maturity: Functional
• Exploitation Status: Confirmed in the wild

Impact:
• Spoofing attacks leading to user deception
• Limited exposure of sensitive information
• Increased risk due to active exploitation campaigns
• Potential use in phishing or social engineering attacks

Recommendations:
• Apply April 2026 Microsoft Patch Tuesday updates immediately
• Ensure EDR/XDR solutions are updated to detect spoofed file execution
• Educate users to avoid executing untrusted files
• Monitor endpoints for suspicious file execution activity
• Implement email and web filtering to block malicious attachments

Reference:
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32202

5. Actively Exploited Vulnerability in D-Link DIR-823X Router

Technical Details / Key Points:
• A critical command injection vulnerability is being actively exploited in the wild
• CVE-2025-29635 – Command Injection vulnerability
• Affected devices: D-Link DIR-823X routers (End-of-Life)
• Affected firmware: 240126, 24082
• Attackers are exploiting this flaw to deploy Mirai botnet variants for DDoS attacks and persistent compromise
• Attack Vector: Remote via HTTP POST request
• Authentication: Not effectively enforced
• Status: Actively exploited in real-world campaigns

Indicators of Compromise (IOCs):
• Malicious IPs:

• 88.214.20.14
• 64.89.161.130

• File Hashes (SHA256):

• 2ca4b70e84787144574bfdb85a0092f3ebf524bb78febdd28d4c832b53fe100
• be902e86ec68515e23a3387a21e80d098d258223ce562598c27ee6d89b83ff2b
• d232c0960f24ba4bb369821b1bf2836d9e576a34fa3ddca2618c80b2f54277f7
• 7792f5c1d5c6c6415732ba0f63328549e19cc9c182c258c17b97b77fdb5541b8
• 72eff03b8573329818b38185074aa763e99d15f5709fecc44f9afece21dc06d8

Impact:
• Full device compromise of vulnerable routers
• Deployment of Mirai botnet malware
• Participation of infected devices in large-scale DDoS attacks
• Persistent network-level compromise
• Increased risk due to lack of vendor patch (EOL status)

Recommendations:
• Immediately replace all affected D-Link DIR-823X routers (no patch available)
• Block identified malicious IP addresses at network perimeter
• Monitor outbound traffic for unusual connections or high-port activity
• Isolate legacy or EOL networking devices from critical infrastructure
• Implement network segmentation to reduce lateral exposure
• Continuously monitor for Mirai-related traffic patterns

Reference:
• https://www.akamai.com/blog/security-research/cve-2025-29635-mirai-campaign-targets-d-link-devices#iocs

6. Security Updates for Mozilla Firefox and Firefox ESR

Technical Details / Key Points:
• Mozilla has released security updates addressing multiple vulnerabilities in Firefox and Firefox ESR
• Issues include memory safety flaws, information disclosure, and sandbox escape in WebRTC
• These vulnerabilities may allow arbitrary code execution or bypass of browser isolation protections

• Critical:

• CVE-2026-7322 – Memory Safety Vulnerabilities

• High:

• CVE-2026-7320 – Information Disclosure in Audio/Video component
• CVE-2026-7323 – Memory Safety Vulnerabilities
• CVE-2026-7324 – Memory Safety Vulnerabilities

• Moderate:

• CVE-2026-7321 – Sandbox Escape in WebRTC networking component

• Key Risk Areas:

• Memory corruption leading to potential RCE
• Exposure of sensitive media processing data
• Sandbox escape weakening browser security isolation

Fixed Versions:
• Firefox 150.0.1
• Firefox ESR 140.10.1
• Firefox ESR 115.35.1

Impact:
• Potential remote code execution via memory corruption flaws
• Sensitive data exposure through media processing components
• Browser sandbox bypass under specific conditions
• Increased risk of targeted exploitation via malicious websites

Recommendations:
• Immediately update Firefox and Firefox ESR to the latest versions
• Enforce automatic browser updates across enterprise environments
• Restrict access to untrusted or suspicious websites
• Monitor endpoint browsers for abnormal crashes or exploit behavior
• Ensure browser security policies and sandboxing remain enabled

Reference:
• https://www.mozilla.org/en-US/security/advisories/mfsa2026-35/
• https://www.mozilla.org/en-US/security/advisories/mfsa2026-36/
• https://www.mozilla.org/en-US/security/advisories/mfsa2026-37/

7. High-Severity Vulnerability in Apache HttpClient

Technical Details / Key Points:
• A high-severity vulnerability has been identified in Apache HttpClient affecting SCRAM-SHA-256 authentication
• CVE-2026-40542 – Authentication Bypass vulnerability
• Severity: High
• The issue arises due to a missing critical step in the SCRAM-SHA-256 mutual authentication process
• An attacker can manipulate the authentication flow, causing the client to incorrectly accept authentication without proper verification
• This leads to bypass of authentication controls and establishment of unauthorized trusted sessions

Affected Version:
• Apache HttpClient 5.6

Fixed Version:
• Apache HttpClient 5.6.1 or later

Impact:
• Authentication bypass in client-server communication
• Unauthorized access to protected services
• Compromise of secure API interactions
• Potential session impersonation and data exposure

Recommendations:
• Immediately upgrade Apache HttpClient to version 5.6.1 or later
• Enforce strict authentication validation in client-server communication
• Monitor logs for abnormal authentication success patterns
• Review applications using SCRAM-SHA-256 for proper implementation
• Apply defense-in-depth controls for API and service authentication

Reference:
• https://nvd.nist.gov/vuln/detail/CVE-2026-40542

8. Critical Vulnerabilities in Spring Boot

Technical Details / Key Points:
• Multiple high-impact vulnerabilities have been identified in Spring Boot affecting enterprise Java applications
• CVE-2026-40976 – Authentication Bypass via Default Security Misconfiguration
• Severity: Critical | CVSS 9.1
• Default security filter chain may leave all endpoints unprotected under specific conditions
• Exploitation leads to full application security bypass

• CVE-2026-40972 – Timing Attack in DevTools
  • Severity: High | CVSS 7.5
  • Timing side-channel vulnerability allows inference of secrets via response time analysis
  • Exploitable when attacker is on same network
• CVE-2026-40973 – Insecure Temporary Directory Handling
  • Severity: High | CVSS 7.0
  • Predictable temp directory handling enables local attackers to execute code via gadget chains
  • May lead to privilege escalation within application context

Affected Versions & Fixes:
• 4.0.x → fixed in 4.0.6
• 3.5.x → fixed in 3.5.14
• 3.4.x → fixed in 3.4.16 (Enterprise)
• 3.3.x → fixed in 3.3.19 (Enterprise)
• 2.7.x → fixed in 2.7.33 (Enterprise)

Impact:
• Complete authentication bypass in misconfigured applications
• Exposure of sensitive secrets via timing attacks
• Local privilege escalation via insecure temp directory handling
• Compromise of enterprise Java application security posture

Recommendations:
• Immediately upgrade Spring Boot to patched versions
• Avoid relying on default security configurations
• Implement custom security filters and access controls
• Enforce constant-time comparisons for sensitive operations
• Restrict local access and secure temporary directory usage
• Monitor application behavior for abnormal access patterns

Reference:
• https://spring.io/security/cve-2026-40976
• https://spring.io/security/cve-2026-40972
• https://spring.io/security/cve-2026-40973

9. Authentication Bypass Vulnerability in OpenSSH

Technical Details / Key Points:
• A high-impact authentication bypass vulnerability has been identified in OpenSSH versions prior to 10.3
• CVE-2026-35414 – Authentication Bypass
• Severity: High | CVSS 8.1 (NIST)
• The issue arises from improper handling of the authorized_keys principals option when used with certificate-based authentication
• Malformed principal names can trigger incorrect validation behavior
• Exploitation may allow users with a valid certificate from a trusted CA to bypass authentication controls
• In certain scenarios, this may result in elevated privileges including root access

Affected Version:
• OpenSSH versions < 10.3

Fixed Version:
• OpenSSH 10.3 or later

Impact:
• Authentication bypass in SSH certificate-based authentication
• Unauthorized access to protected systems
• Potential privilege escalation to root level
• Compromise of secure remote access infrastructure

Recommendations:
• Immediately upgrade OpenSSH to version 10.3 or later
• Review and validate all SSH certificate-based authentication configurations
• Restrict and audit trusted Certificate Authorities (CAs)
• Monitor SSH authentication logs for abnormal or unexpected certificate usage
• Enforce strict principal validation policies in authorized_keys

Reference:
• https://www.openssh.org/releasenotes.html#10.3p1

10. Multiple Vulnerabilities in Apache ActiveMQ

Technical Details / Key Points:
• Multiple vulnerabilities have been identified in Apache ActiveMQ impacting the broker JVM and web console
• CVE-2026-41044 – Remote Code Execution via Improper Broker Name Validation
• Severity: High
• Authenticated attacker can inject malicious broker name containing xbean binding
• Leads to loading of remote Spring XML context and execution of arbitrary code via JVM (e.g., Runtime.exec())

• CVE-2026-40466 – RCE via Jolokia HTTP Discovery Transport
  • Severity: High
  • Attacker can bypass mitigations using Jolokia interface
  • Malicious HTTP discovery transport points to attacker-controlled endpoint
  • Enables remote loading of Spring XML configuration and code execution
• CVE-2026-41043 – Cross-Site Scripting (XSS) in Web Console
  • Severity: Medium
  • Injection of malicious HTML into JMS selector field
  • Manipulation of response content type leads to script execution in admin browser session
  • May result in session hijacking or admin compromise

Affected Versions:
• Apache ActiveMQ 5.19.x prior to 5.19.6
• Apache ActiveMQ 6.2.x prior to 6.2.5

Fixed Versions:
• Apache ActiveMQ 5.19.6 or later
• Apache ActiveMQ 6.2.5 or later

Impact:
• Remote code execution on broker JVM
• Full compromise of messaging infrastructure
• Administrative session hijacking via XSS
• Potential lateral movement within enterprise environments
• High risk in exposed or misconfigured ActiveMQ deployments

Recommendations:
• Immediately upgrade Apache ActiveMQ to patched versions
• Restrict access to ActiveMQ web console and Jolokia interface
• Enforce strict authentication and authorization controls
• Disable unnecessary administrative endpoints and transports
• Monitor broker logs for unusual XML loading or VM transport activity
• Implement WAF rules to detect and block injection attempts

Reference:
• https://www.tenable.com/cve/CVE-2026-40466
• https://www.tenable.com/cve/CVE-2026-41043
• https://www.tenable.com/cve/CVE-2026-41044

11. Security Updates for Google Chrome

Technical Details / Key Points:
• Google has released Chrome 147 Stable and Extended Stable updates addressing 30 vulnerabilities across multiple components
• Exploitation may lead to remote code execution, memory corruption, browser crashes, or system compromise via malicious web content

• Critical Severity:

• CVE-2026-7363 – Use After Free in Canvas
• CVE-2026-7361 – Use After Free in iOS
• CVE-2026-7344 – Use After Free in Accessibility
• CVE-2026-7343 – Use After Free in Views

• High Severity:

• Multiple Use-After-Free issues in GPU, Media, Navigation, WebRTC, Cast, WebMIDI, Codecs, ANGLE, V8, and other components
• CVE-2026-7337 – Type Confusion in V8
• CVE-2026-7353 – Heap Buffer Overflow in Skia
• CVE-2026-7354 – Out of Bounds Read/Write in ANGLE
• CVE-2026-7336 – Use After Free in WebRTC
• CVE-2026-7351 – Race Condition in MHTML
• CVE-2026-7346 – Improper Implementation in Tint
• Additional memory safety and input validation issues across browser subsystems

• Medium Severity:

• CVE-2026-7339 – Heap Buffer Overflow in WebRTC
• CVE-2026-7340 – Integer Overflow in ANGLE
• CVE-2026-7355 – Use After Free in Media

Fixed Versions:
• Chrome Stable (Windows/Mac): 147.0.7727.137/138 or later
• Chrome Stable (Linux): 147.0.7727.137 or later
• Chrome for Android: 147.0.7727.137 or later
• Chrome Extended Stable (Windows/Mac): 146.0.7680.216 or later

Impact:
• Remote code execution via malicious web pages
• Memory corruption leading to browser exploitation
• Potential sandbox escape and system compromise
• Browser crashes and service instability
• Increased risk of drive-by download attacks

Recommendations:
• Immediately update Google Chrome to the latest stable version
• Ensure automatic updates are enabled across enterprise endpoints
• Restrict access to untrusted or suspicious websites
• Monitor browser crash logs and exploit indicators
• Enforce browser isolation or sandboxing controls where possible

Reference:
• https://chromereleases.googleblog.com/2026/04/stable-channel-update-fordesktop_28.html
• https://chromereleases.googleblog.com/

12. Supply Chain Compromise of npm Package – Bitwarden CLI

Technical Details / Key Points:
• A supply chain attack was identified targeting the official Bitwarden CLI npm package
• Threat actor: TeamPCP (@pcpcats)
• Malicious package published: @bitwarden/[email protected]
• Exposure window: approximately 93 minutes before removal
• Attack classified as a coordinated supply chain compromise affecting developer ecosystems

• Attack Characteristics:

• Compromised CI/CD pipeline via Checkmarx infrastructure
• Injection through GitHub Actions used in build process
• Malicious code embedded in npm publication workflow
• Worm-like propagation behavior across developer environments

• Malware Capabilities:

• Credential harvesting (npm tokens, GitHub PATs, SSH keys, cloud secrets, AI tool configs)
• Multi-provider data exfiltration
• Persistence via obfuscation and execution hooks
• Self-propagation across developer systems and pipelines
• Exfiltration via C2 and GitHub dead drops

Indicators of Compromise (IoCs):

Network IoCs:
• audit.checkmarx[.]cx
• checkmarx[.]cx
• 94.154.172[.]43
• 91.195.240[.]123

GitHub IoCs:
• helloworm00/hello-world
• helloworm00@proton[.]me
• bc544f455d7c06c8a1f3446160a6d9a4a8236b11
• “Checkmarx Configuration Storage” repositories
• Repo pattern: –<3digits>

File Hashes (SHA256):
• f35475829991b303c5efc2ee0f343dd38f8614e8b5e69db683923135f85cf60d (bw_setup.js)
• 18f784b3bc9a0bcdcb1a8d7f51bc5f54323fc40cbd874119354ab609bef6e4cb (bw1.js)
• 167ce57ef59a32a6a0ef4137785828077879092d7f83ddbc1755d6e69116e0ad (package.json)

File/Artifact IoCs:
• bw_setup.js
• bw1.js
• setup.mjs
• .github/workflows/format-check.yml
• format-results artifact

npm IoCs:
• @bitwarden/[email protected]
• Preinstall hook: “node setup.mjs”

Impact:
• Credential theft from developer environments and CI/CD systems
• Full compromise of developer pipelines and source code environments
• Downstream propagation through dependency chains
• Exposure of cloud infrastructure credentials and secrets
• Risk of large-scale supply chain compromise across organizations

Recommendations:
• Immediately verify if @bitwarden/[email protected] was installed
• Rotate all potentially exposed credentials (npm tokens, GitHub PATs, SSH keys, cloud keys)
• Audit CI/CD pipelines and GitHub workflows for malicious changes
• Block identified malicious domains and IPs at network perimeter
• Review npm dependencies and lockfiles across environments
• Monitor for abnormal outbound connections and secret exfiltration patterns

Reference:
• https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/

13. Critical Vulnerability in MICS Resource Management REST API Server

Technical Details / Key Points:
• A critical vulnerability has been identified in MICS Resource Management REST API Server (MBAS) impacting z/OS environments
• CVE-2026-22732 – Spring Security related vulnerability
• Severity: CRITICAL | CVSS 9.1
• Vendor: Broadcom
• The issue originates from a vulnerable implementation within Spring Security (upgrade path from 5.8.21 → 5.8.24)
• The flaw is present in the MBAS (REST API Server) component

Attack Characteristics:
• Remotely exploitable over network
• No authentication required (PR:N)
• No user interaction required (UI:N)
• Low attack complexity (AC:L)
• No privilege escalation required

Affected Version:
• MICS Resource Management 14.5 (REST API Server / MBAS only)

Unaffected Versions:
• 14.3
• 14.4

Fix:
• Apply vendor patch PTF LU20158

Impact:
• Full remote compromise of REST API server
• Unauthorized access to mainframe resource management functions
• Potential disruption of enterprise /OS environments
• High risk due to unauthenticated network exploitation

Recommendations:
• Immediately apply vendor-provided patch (PTF LU20158)
• Restrict network exposure of MBAS REST API endpoints
• Implement strong access controls and API gateway protection
• Monitor logs for unauthenticated API access attempts
• Ensure Spring Security components are updated to secure versions

Reference:
• https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/securityadvisories/0/37391/

14. Critical Authentication Vulnerability in cPanel and WHM

Technical Details / Key Points:
• A critical authentication vulnerability has been identified in cPanel and WHM affecting hosting control panel security
• Vulnerability Type: Authentication Bypass / Unauthorized Access
• Severity: Critical (CVSS not publicly disclosed)
• The flaw impacts core authentication mechanisms used in both cPanel and WHM interfaces
• Full technical details have not been publicly disclosed, but the issue is considered high risk due to potential administrative compromise
• Exploitation could allow unauthorized access to hosting environments and control panel functions
• Some hosting providers have already applied temporary mitigations while official patches are deployed

Affected Versions:
• Multiple supported cPanel & WHM versions (see vendor advisory for full list)

Patched Versions:
• 11.110.0.97
• 11.118.0.63
• 11.126.0.54
• 11.132.0.29
• 11.134.0.20
• 11.136.0.5

Impact:
• Unauthorized access to hosting control panels
• Potential full administrative compromise of cPanel/WHM environments
• Exposure of hosted websites, databases, and user accounts
• Risk of large-scale hosting infrastructure compromise
• Possible privilege escalation to root-level management functions

Recommendations:
• Immediately upgrade cPanel & WHM to the latest patched versions
• Apply vendor-recommended security updates without delay
• Restrict direct internet exposure of cPanel/WHM interfaces
• Enforce multi-factor authentication (MFA) for all admin accounts
• Monitor authentication logs for suspicious or repeated login attempts
• Review hosting environment access controls and session security

Reference:
• https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026

15. Actively Exploited Critical Vulnerabilities in SimpleHelp Remote Support

Technical Details / Key Points:
• Multiple critical vulnerabilities have been identified and are actively exploited in SimpleHelp Remote Support software
• These flaws impact remote support and unattended management environments, enabling full system compromise

• CVE-2024-57727 – Unauthenticated Path Traversal
  • Severity: Critical (CVSS 9.1)
  • Allows unauthenticated attackers to download arbitrary files from the server
  • Root cause: Improper input validation leading to path traversal
• CVE-2024-57726 – Privilege Escalation (Technician → Admin)
  • Severity: Critical (CVSS 9.9)
  • Enables low-privilege technician accounts to escalate to administrative access
  • Can be chained with other vulnerabilities for full compromise
• CVE-2024-57728 – Arbitrary File Upload → Remote Code Execution
  • Severity: High (CVSS 7.2)
  • Authenticated attacker can upload malicious files leading to remote code execution
  • Enables full system compromise when combined with privilege escalation flaws

Fixed Versions:
• 5.5.8 or later
• 5.4.10 or later
• 5.3.9 or later

Impact:
• Full remote code execution on SimpleHelp servers
• Unauthorized access to sensitive system and configuration files
• Privilege escalation from technician to administrator level
• Potential lateral movement to connected client systems
• Complete compromise of remote support infrastructure

Recommendations:
• Immediately upgrade SimpleHelp Remote Support to patched versions
• Restrict access to remote support portals and administrative interfaces
• Enforce strong authentication and role-based access controls
• Monitor for unusual file access or privilege escalation attempts
• Audit technician and admin accounts for suspicious activity
• Apply network segmentation for remote support systems

Reference:
• https://guides.simple-help.com/kb—security-vulnerabilities-01-2025#remote-machine-compromise

16. Security Updates for NVIDIA CUDA-Q and KAI Scheduler

Technical Details / Key Points:
• NVIDIA has released security updates addressing multiple vulnerabilities in CUDA-Q and KAI Scheduler
• The vulnerabilities may allow denial-of-service (DoS), unauthorized access, and potential data manipulation

High Severity Vulnerabilities:
• CVE-2026-24189 – Out-of-Bounds Read in CUDA-Q
• Unauthenticated attacker can trigger out-of-bounds read via crafted request
• May result in DoS and potential information disclosure

• CVE-2026-24177 – Unauthorized API Access in KAI Scheduler
  • Improper access control allows unauthorized API access
  • May lead to exposure of sensitive information

Medium Severity Vulnerability:
• CVE-2026-24176 – Improper Authorization in KAI Scheduler
• Cross-namespace pod reference issue
• May allow data tampering through improper authorization controls

Affected Products:
• NVIDIA CUDA-Q – All versions prior to 0.14.0
• NVIDIA KAI Scheduler – All versions prior to 0.13.0 (Linux)

Fixed Versions:
• CUDA-Q: 0.14.0 or later
• KAI Scheduler: 0.13.0 or later

Impact:
• Denial-of-service via crafted requests
• Unauthorized API access and sensitive data exposure
• Potential data manipulation in Kubernetes-based workloads
• Risk to AI/compute scheduling infrastructure integrity

Recommendations:
• Immediately upgrade CUDA-Q and KAI Scheduler to patched versions
• Restrict API endpoint access and enforce strict authentication controls
• Monitor for abnormal API requests and unauthorized access attempts
• Implement network segmentation for scheduler and compute services
• Apply least privilege access controls across Kubernetes environments

Reference:
• https://nvidia.custhelp.com/app/answers/detail/a_id/5820
• https://nvidia.custhelp.com/app/answers/detail/a_id/5818

17. Remote Code Execution Vulnerability in GitHub and GitHub Enterprise Server

Technical Details / Key Points:
• A critical command injection vulnerability has been identified affecting GitHub and GitHub Enterprise Server (GHES)
• CVE-2026-3854 – Command Injection / Improper Input Neutralization
• Severity: High | CVSS 8.7
• The flaw allows an authenticated user with repository push access to achieve remote code execution (RCE)
• Exploitation is possible via a single malicious git push operation
• Root cause: improper sanitization of user-supplied git push options
• Input is incorrectly embedded into internal service headers (X-Stat headers)
• Attackers can inject malicious metadata using delimiter-based parsing issues (semicolon-based parsing flaw)
• Potential impact includes cross-tenant data exposure in GitHub.com multi-tenant environments

Affected Platforms:
• GitHub.com
• GitHub Enterprise Cloud (all variants)
• GitHub Enterprise Server (GHES)

Patched Versions:
• GHES 3.14.25 or later
• GHES 3.15.20 or later
• GHES 3.16.16 or later
• GHES 3.17.13 or later
• GHES 3.18.7 or later
• GHES 3.19.4 or later
• GHES 3.20.0 or later

Impact:
• Remote code execution on GitHub Enterprise infrastructure
• Cross-tenant data exposure in multi-tenant environments
• Potential full compromise of repository hosting systems
• Unauthorized execution of commands via repository push operations
• Risk to CI/CD pipelines and source code integrity

Recommendations:
• Immediately upgrade GitHub Enterprise Server to patched versions
• Verify patch levels across all GitHub instances
• Apply emergency patching for internet-facing deployments
• Restrict repository push permissions to trusted users only
• Monitor unusual git push patterns and metadata injection attempts
• Enforce strict input validation for repository-related operations

Reference:
• https://nvd.nist.gov/vuln/detail/CVE-2026-3854

18. Privilege Escalation Vulnerability in Tenable Nessus and Nessus Agent

Technical Details / Key Points:
• A high-severity privilege escalation vulnerability has been identified in Tenable Nessus and Nessus Agent on Windows systems
• CVE-2026-33694 – Improper Link Resolution (CWE-59: Link Following)
• Severity: High
• CVSSv3: 8.2 | CVSSv4: 7.4
• The flaw allows a locally authenticated attacker to exploit Windows junction handling
• Successful exploitation enables arbitrary file deletion with SYSTEM-level privileges
• Can lead to privilege escalation and potential arbitrary code execution

Attack Characteristics:
• Attack Vector: Local (AV:L)
• Privileges Required: Low (PR:L)
• User Interaction: Required
• Complexity: Low
• Scope Change: Possible (S:C)

Patched Versions:
• Nessus 10.11.4
• Nessus 10.12.0
• Nessus Agent 11.1.3

Impact:
• Arbitrary file deletion with SYSTEM privileges
• Local privilege escalation to highest system level
• Potential arbitrary code execution
• Compromise of endpoint security scanning infrastructure
• Risk of tampering with vulnerability assessment processes

Recommendations:
• Immediately upgrade Nessus and Nessus Agent to patched versions
• Restrict local user access on affected Windows systems
• Monitor for abnormal file system or junction manipulation activity
• Apply least privilege principles for Nessus service accounts
• Audit endpoints for unauthorized privilege escalation attempts
• Ensure security tools are running with hardened configurations

Reference:
• https://tenable.com/security/tns-2026-13
• https://tenable.com/security/tns-2026-12

19. High-Severity Vulnerability in Juniper Junos OS and Junos OS Evolved

Technical Details / Key Points:
• A high-severity vulnerability has been identified in Juniper Networks Junos OS and Junos OS Evolved
• CVE-2026-33797 – Improper Input Validation leading to BGP session reset (DoS)
• Severity: High | CVSS v3.1: 7.4
• The flaw allows an unauthenticated attacker on an adjacent network to disrupt routing sessions
• Exploitation occurs via specially crafted but valid BGP packets within an established BGP session
• Affects both eBGP and iBGP implementations across IPv4 and IPv6 environments
• Repeated exploitation can sustain denial-of-service conditions and destabilize routing infrastructure

Affected Versions:
• Junos OS 25.2 prior to 25.2R2
• Junos OS Evolved 25.2-EVO prior to 25.2R2-EVO

Fixed Versions:
• Junos OS 25.2R2, 25.4R1 or later
• Junos OS Evolved 25.2R2-EVO, 25.4R1-EVO or later

Impact:
• Denial-of-service via BGP session resets
• Network routing instability and potential outages
• Disruption of inter-domain and internal routing (eBGP/iBGP)
• Increased risk to service availability in enterprise and ISP networks
• Potential cascading failures in large-scale routing environments

Recommendations:
• Immediately upgrade Junos OS and Junos OS Evolved to fixed versions
• Monitor BGP session stability and unexpected resets
• Implement strict filtering of BGP traffic on trusted interfaces
• Restrict adjacency exposure to trusted peers only
• Enable routing security controls and session authentication where possible
• Continuously monitor network telemetry for abnormal BGP behavior

Reference:
• https://supportportal.juniper.net/s/article/2026-04-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-An-attacker-sending-a-specific-genuine-BGP-packet-causes-a-BGP-reset-CVE-2026-33797

20. Security Updates for Google ChromeOS (LTS Channel)

Technical Details / Key Points:
• Google has released a Long Term Support (LTS) update for ChromeOS addressing multiple security vulnerabilities
• The issues affect browser and platform components, including memory management and graphics APIs
• Exploitation could lead to code execution, memory corruption, or privilege abuse

Critical Vulnerability:
• CVE-2026-6297 – Use After Free in Proxy
• Severity: Critical
• Affects proxy handling mechanisms and may allow memory corruption leading to potential code execution

High Severity Vulnerabilities:
• CVE-2026-4456 – Use After Free in Digital Credentials API
• CVE-2026-4680 – Use After Free in FedCM
• CVE-2026-4675 – Heap Buffer Overflow in WebGL
• These vulnerabilities may enable memory corruption and exploitation under specific conditions

Fixed Versions:
• ChromeOS LTS-144: 144.0.7559.249 (Platform Version: 16503.81.0)

Impact:
• Potential remote code execution via browser or system component exploitation
• Memory corruption leading to system instability
• Possible privilege abuse within ChromeOS environment
• Risk to endpoint security in managed enterprise ChromeOS deployments
• Exploitation via malicious web content or credential flows

Recommendations:
• Immediately update ChromeOS devices to LTS-144 or later
• Ensure automatic updates are enabled for managed endpoints
• Monitor endpoint logs for browser-based exploitation attempts
• Restrict access to untrusted web content where possible
• Apply browser hardening and enterprise policy controls
• Maintain ChromeOS fleet on latest security baseline

Reference:
• https://chromereleases.googleblog.com/2026/04/long-term-support-channel-update-for_29.html

21. Multiple Vulnerabilities in SonicWall SonicOS

Technical Details / Key Points:
• Multiple vulnerabilities have been identified in SonicWall SonicOS affecting firewall and management components
• These flaws may allow unauthorized access, restricted service interaction, and denial-of-service conditions

• CVE-2026-0204 – Improper Access Control
  • Severity: High | CVSS: 8.0
  • Management interface functions may be accessible under certain conditions
  • May allow unauthorized access to sensitive administrative capabilities
• CVE-2026-0205 – Path Traversal (Post-Authentication)
  • Severity: Medium | CVSS: 6.8
  • Authenticated attacker may access restricted internal services
  • Can expand access within the device
• CVE-2026-0206 – Stack-Based Buffer Overflow (Post-Authentication)
  • Severity: Medium | CVSS: 4.9
  • May allow a privileged user to crash firewall
  • Leads to denial-of-service condition

Fixed Versions:
• Gen6 Hardware Firewalls: 6.5.5.2-28n
• Gen7 NSv: 7.3.2-7010
• Gen8 Firewalls: 8.2.0-8009

Impact:
• Unauthorized access to firewall management functions
• Potential escalation of access within firewall environment
• Denial-of-service through firewall crashes
• Risk to enterprise perimeter security and network segmentation
• Exposure of sensitive network configuration data

Recommendations:
• Immediately upgrade SonicOS to fixed versions
• Restrict access to management interfaces (especially internet-facing)
• Enforce strong authentication and role-based access controls
• Monitor firewall logs for abnormal administrative activity
• Limit privileged user access and review account permissions
• Apply network segmentation to isolate firewall management planes

Reference:
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0004