Weekly Threat Landscape Digest – Week 19

1. Critical Vulnerabilities in Spring Cloud Config

Overview:

• Multiple high-severity vulnerabilities disclosed in Spring Cloud Config, a component for centralized configuration in distributed systems.
• Critical flaw CVE-2026-40982 (CVSS 9.1) allows directory traversal enabling unauthenticated arbitrary file reads.
• Additional flaws impact Google Cloud Platform secret isolation, Git repository integrity via TOCTOU attack, and sensitive data leakage through logs.

Impact:

• CVE-2026-40982 enables attackers to read sensitive files such as /etc/passwd and application secrets without authentication.
• CVE-2026-40981 causes cross-project secret leakage in GCP environments, exposing API keys and service accounts.
• CVE-2026-41002 allows manipulation of Git repository directories during cloning, risking unauthorized file modification and malicious configuration injection.
• CVE-2026-41004 results in plaintext exposure of secrets in logs, increasing risk through log aggregation systems.

Affected / Fixed Versions:

• Affected: Spring Cloud Config versions 3.1.x, 4.1.x, 4.2.x, 4.3.x, 5.0.x, and older unsupported versions.
• Fixed in versions 4.3.3 and 5.0.3.

Recommendations:

• Immediately upgrade all Spring Cloud Config deployments to fixed versions 4.3.3 or 5.0.3.
• Review and restrict access permissions on configuration servers.
• Monitor logs for sensitive data exposure and adjust logging configuration to avoid plaintext secrets.
• Verify Git repository security and implement controls to mitigate TOCTOU attack vectors.
• Evaluate GCP secret management configurations to ensure project isolation.

Reference link:

• https://spring.io/security

2. Security Updates-Google Chrome

Overview:

• Google released Chrome Stable Channel version 148.0.7778.96/97 for Windows, Mac, and Linux.
• The update addresses 127 security vulnerabilities, including multiple Critical and High severity flaws.
• Vulnerabilities affect core components such as Blink, V8 JavaScript engine, ANGLE graphics layer, GPU, DOM, WebRTC, ServiceWorker, Chromoting, and more.

Impact:

• Critical issues include integer overflow and use-after-free vulnerabilities leading to potential memory corruption and remote code execution.
• High severity flaws include out-of-bounds read/write, heap buffer overflow, insufficient validation, type confusion, and uninitialized use vulnerabilities.
• Exploitation of these vulnerabilities could allow attackers to execute arbitrary code, cause denial of service, or bypass security controls.

Affected / Fixed Versions:

• Fixed in Chrome 148.0.7778.96 for Linux.
• Fixed in Chrome 148.0.7778.96/97 for Windows and Mac.

Recommendations:

• Update all systems to the latest Chrome 148 stable release immediately.
• Enable automatic browser updates across enterprise environments to ensure timely patching.

Reference link:

• https://chromereleases.googleblog.com/

3. Multiple Vulnerabilities in WatchGuard Agent for Windows

Overview:

• Several vulnerabilities identified in WatchGuard Agent for Windows, including privilege escalation and stack-based buffer overflow issues.
• CVE-2026-6787 and CVE-2026-6788 involve privilege escalation via the WatchGuard Agent service, allowing local attackers to gain SYSTEM-level privileges.
• CVE-2026-41288 relates to incorrect permission assignment in the patch management component, enabling authenticated local users to escalate privileges.
• CVE-2026-41286 and CVE-2026-41287 are stack-based buffer overflow vulnerabilities in the discovery service, exploitable by unauthenticated attackers on the local network to cause denial-of-service.

Impact:

• Privilege escalation leading to full system compromise.
• Denial-of-service conditions disrupting endpoint security functionality.

Affected / Fixed Versions:

• Affected: WatchGuard Agent for Windows up to and including version 1.25.02.0000
• Fixed: Version 1.25.03.0000

Recommendations:

• Update WatchGuard Agent for Windows to version 1.25.03.0000 or later to mitigate these vulnerabilities.

Reference links:

• https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00010
• https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00011
• https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00012
• https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00013

4. Security Updates – Cisco

Overview:

• Cisco has released security updates addressing multiple vulnerabilities across various products including Cisco Unity Connection, Cisco Identity Services Engine (ISE), Cisco SG350/SG350X Switches, Cisco Prime Infrastructure, Cisco Crosswork Network Controller, Cisco IoT Field Network Director, Cisco Slido, and Cisco Enterprise Chat and Email.

Impact:

• Successful exploitation could enable arbitrary code execution, authentication bypass, denial of service (DoS), malicious file upload, sensitive information disclosure, or cross-site scripting (XSS) attacks.

Vulnerabilities:

• High severity includes:

• CVE-2026-20034, CVE-2026-20035: Cisco Unity Connection Remote Code Execution and Server-Side Request Forgery
• CVE-2026-20185: Cisco SG350/SG350X Switches SNMP Denial of Service
• CVE-2026-20188: Cisco Crosswork Network Controller and Network Services Orchestrator Connection Exhaustion Denial of Service
• CVE-2026-20167, CVE-2026-20168, CVE-2026-20169: Cisco IoT Field Network Director vulnerabilities

• Medium severity includes:

• CVE-2026-20219: Cisco Slido Insecure Direct Object Reference
• CVE-2026-20189: Cisco Prime Infrastructure Information Disclosure
• CVE-2026-20193, CVE-2026-20195: Cisco ISE Authentication Bypass
• CVE-2026-20172: Cisco Enterprise Chat and Email Lite Agent File Upload vulnerability
• CVE-2025-20204, CVE-2025-20205: Cisco ISE Stored Cross-Site Scripting

Recommendations:

• Review Cisco’s official security advisories for detailed information on affected versions and fixed releases.
• Apply patches or mitigations as recommended by Cisco promptly to reduce risk.

Reference link:

• https://sec.cloudapps.cisco.com/security/center/publicationListing.x

5. Multiple Vulnerabilities in Juniper Secure Analytics

Overview:

• Multiple vulnerabilities identified in Juniper Secure Analytics (JSA) version 7.5.0 prior to UP15 IF01.
• Issues affect several upstream components including the Linux kernel, libpng, OpenSSL, PostgreSQL client libraries, and GNU Binutils.
• CVEs include a range of criticality levels with an overall High severity (maximum CVSS 7.8).

Impact:

• Potential consequences of exploitation include memory corruption, denial of service (DoS), and privilege escalation.
• No active exploitation reported at the time of disclosure.

Affected / Fixed Versions:

• Affected: Juniper Secure Analytics 7.5.0 before UP15 IF01.
• Fixed: Version 7.5.0 UP15 IF01 and later.

Recommendations:

• Immediately upgrade to Juniper Secure Analytics 7.5.0 UP15 IF01 or later to mitigate these vulnerabilities.

Reference link:

• https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-vulnerabilities-resolved-in-Juniper-Secure-Analytics-in-7-5-0-UP15-IF01

6. Stored Cross-Site Scripting (XSS) Vulnerabilities in Zabbix Frontend Components

Overview:

• Two high-severity stored XSS vulnerabilities identified in Zabbix frontend components: CVE-2026-23926 and CVE-2026-23928.
• CVE-2026-23926 affects the Host Navigator widget’s maintenance tooltip, allowing an authenticated administrator to inject persistent malicious JavaScript.
• CVE-2026-23928 impacts the Item History and Plain Text widgets, with attackers able to inject scripts via monitoring data from a compromised host.
• Both vulnerabilities require user interaction and allow code execution in other users’ browsers.

Impact:

• Arbitrary JavaScript execution leading to session hijacking, credential theft, and unauthorized actions.
• Potential lateral movement and privilege escalation through persistent XSS across dashboards affecting multiple users.

Affected / Fixed Versions:

• CVE-2026-23926 affected: 7.0.0 to 7.0.23, 7.4.0 to 7.4.7; fixed in 7.0.24 and 7.4.8.
• CVE-2026-23928 affected: 6.0.0 to 6.0.44, 7.0.0 to 7.0.23, 7.4.0 to 7.4.7; fixed in 6.0.45, 7.0.24, and 7.4.8.

Recommendations:

• Upgrade to the fixed versions promptly.
• Review and restrict administrative access to trusted users.
• Monitor frontend components for unusual scripts or behavior.

Reference links:

• https://support.zabbix.com/browse/ZBX-27760
• https://support.zabbix.com/browse/ZBX-27758

7. Security Updates – Samsung Mobile

Overview:

• Samsung released the May 2026 Security Maintenance Release (SMR) for flagship Galaxy smartphones and Galaxy Watch devices.
• The update includes Google’s May 2026 Android Security Bulletin fixes and Samsung Vulnerabilities and Exposures (SVE) patches.
• Vulnerabilities addressed involve privilege escalation, arbitrary code execution, and sensitive information disclosure.

Impact:

• Exploitation could allow arbitrary code execution with elevated or system privileges.
• Unauthorized access to sensitive user or device information.
• Launching of privileged activities without authorization.
• Abuse of exported system components.
• Overall compromise of Galaxy smartphone and Galaxy Watch security.

Affected / Fixed Versions:

• Samsung devices running Android 14, 15, and 16.
• Galaxy Watch devices running Android Watch 14 and 16.

Notable vulnerabilities:

• Critical: CVE-2026-0051, CVE-2026-0073.
• High severity: SVE-2026-0483 (CVE-2026-21019) allowing arbitrary code execution on Galaxy Watch via improper input validation in FacAtFunction.
• Multiple other CVEs ranging from moderate to high severity affecting both Android OS and Samsung-specific components.

Recommendations:

• Apply the May 2026 Security Maintenance Release updates promptly to all affected Samsung Galaxy smartphones and Galaxy Watch devices.

Reference link:

• https://security.samsungmobile.com/securityUpdate.smsb

8. Actively Exploited Vulnerability in Palo Alto Networks PAN-OS

Overview:

• A critical buffer overflow vulnerability (CVE-2026-0300, CVSS 9.3) exists in the User-ID Authentication Portal (Captive Portal) service on PA-Series and VM-Series firewalls.
• Allows unauthenticated remote attackers to execute arbitrary code with root privileges by sending specially crafted packets.
• Limited in-the-wild exploitation has been confirmed, primarily targeting internet-exposed Captive Portal deployments.

Impact:

• Full firewall compromise
• Traffic interception
• Security control bypass
• Unauthorized access to internal enterprise networks

Affected / Fixed Versions:

• PAN-OS 12.1: versions prior to 12.1.4-h5 and 12.1.7 affected; patches expected by 05/13 and 05/28 respectively
• PAN-OS 11.2: versions prior to 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, 11.2.12 affected; patches expected between 05/13 and 05/28
• PAN-OS 11.1: versions prior to 11.1.4-h33 through 11.1.15 affected; patches expected between 05/13 and 05/28
• PAN-OS 10.2: versions prior to 10.2.7-h34 through 10.2.18-h6 affected; patches expected between 05/13 and 05/28
• Cloud NGFW and Prisma Access are not affected.

Recommendations:

• Restrict User-ID Authentication Portal access to trusted internal IP addresses only.
• Block portal exposure from public internet or untrusted zones.
• Disable User-ID Authentication Portal if not required.
• Apply Threat Prevention signature updates for PAN-OS 11.1+.
• Review firewall logs and configurations for suspicious portal traffic and minimize external exposure.
• Prioritize patching internet-facing or externally accessible devices as soon as fixed releases are available.
• Restrict management and authentication interfaces to internal networks.

Reference link:

• https://security.paloaltonetworks.com/CVE-2026-0300

9. Multiple Vulnerabilities in WhatsApp

Overview:

• Meta disclosed and patched two critical vulnerabilities affecting WhatsApp on mobile and Windows desktop clients.
• Issues relate to Instagram Reels integration on iOS and Android, and file attachment handling on Windows.
• No active exploitation observed, but attack vectors enable remote code execution and malware delivery.

Impact:

• CVE-2026-23866: Incomplete validation of media content paths in Instagram Reels responses allows remote triggering of arbitrary URLs, launching external apps or directing users to phishing/malware sites.
• CVE-2026-23863: Improper handling of file names with embedded NUL bytes on Windows allows spoofed attachments that appear safe but execute malicious files (e.g., .exe).

Affected / Fixed Versions:

• CVE-2026-23866: WhatsApp for iOS versions 2.25.8.0 through 2.26.15.72 and WhatsApp for Android versions 2.25.8.0 through 2.26.7.10.
• CVE-2026-23863: WhatsApp for Windows builds prior to version 2.3000.1032164386.258709.

Recommendations:

• Update WhatsApp immediately on all platforms:
• Mobile: via official iOS and Android app stores.
• Windows: to the latest desktop client version.
• Ensure enterprise devices are compliant with patches.

Reference link:

• https://www.whatsapp.com/security/advisories/2026

10. Qualcomm Chipset Vulnerabilities – May 2026 Security Bulletin

Overview:

• Qualcomm released a May 2026 security bulletin detailing critical and high-severity vulnerabilities across chipsets affecting smartphones, automotive systems, IoT devices, and industrial platforms.

Impact:

• CVE-2026-25254 (CVSS 9.8): Remote code execution via improper authorization in Qualcomm Software Center’s SocketIO interface, enabling full control without user interaction.
• CVE-2026-25293 (CVSS 9.6): Buffer overflow in powerline communication firmware allows adjacent network attackers to execute malicious payloads.
• CVE-2026-25262 (CVSS 6.9): Write-what-where memory corruption in Primary Bootloader can bypass secure boot and enable persistent firmware compromise with local or physical access.
• Additional high-severity issues include privilege escalation, use-after-free, untrusted pointer dereference, and transient denial-of-service in various components such as Package Manager, Automotive GPU, WINBLAST-POWER firmware, WLAN HAL, and WLAN firmware.

Affected / Fixed Versions:

• Specific affected and fixed versions were not detailed in the bulletin.

Recommendations:

• Inventory all Qualcomm-based devices within your environment.
• Apply available security updates promptly as released by device vendors.

Reference link:

• https://docs.qualcomm.com/securitybulletin/may-2026-bulletin.html

11. Multiple Vulnerabilities in Apache HTTP Server

Overview:

• Multiple vulnerabilities identified in Apache HTTP Server allowing arbitrary code execution, authentication bypass, privilege escalation, and denial of service.
• Notable CVEs include CVE-2026-23918 (double free in HTTP/2), CVE-2026-33006 (timing attack in mod_auth_digest), CVE-2026-24072 (improper access control in .htaccess), plus several low-severity memory corruption and NULL pointer dereference issues.

Impact:

• Execution of arbitrary code on the server.
• Authentication bypass through timing attacks.
• Privilege escalation to httpd user level.
• Denial of service via service crashes.

Affected / Fixed Versions:

• Affected: Apache HTTP Server versions 2.4.0 through 2.4.66.
• Fixed: Apache HTTP Server version 2.4.67 and later.

Recommendations:

• Update Apache HTTP Server to version 2.4.67 or later.
• Review and apply appropriate access control settings.
• Monitor systems for signs of exploit attempts related to these vulnerabilities.

Reference links:

• https://httpd.apache.org/download.cgi#apache24
• https://httpd.apache.org/security/vulnerabilities_24.html

12. Critical RCE Vulnerability in Google Android

Overview:

• A critical remote code execution (RCE) vulnerability (CVE-2026-0073) exists in the Android System component adbd / Project Mainline.
• The flaw allows an attacker within close proximity or adjacent network range to execute arbitrary code as the shell user without user interaction or additional privileges.

Impact:

• Successful exploitation could compromise affected devices, particularly where mitigations are disabled or bypassed.

Affected / Fixed Versions:

• Affected: Android devices with versions prior to the 2026-05-01 security patch level, including Android 14, 15, 16, 16-QPR2.
• Google Play system component: adbd.

Recommendations:

• Update Android devices to the latest available security patch level (2026-05-01 or later).

Reference link:

• https://source.android.com/docs/security/bulletin/2026/2026-05-01

13. High-Severity Vulnerability in TP-Link Tapo Devices

Overview:

• A vulnerability (CVE-2025-15557) in TP-Link Tapo H100 v1 and Tapo P100 v1 devices results from improper certificate validation during device-to-cloud communication.
• The flaw allows an attacker on the same network segment to intercept and manipulate encrypted traffic.

Impact:

• Enables interception and manipulation of encrypted traffic.
• Attack vector requires adjacency on the same network.
• Attack complexity is low with no privileges or significant user interaction needed.
• CVSS v4.0 score: 7.5 (High).

Affected / Fixed Versions:

• Affected: TP-Link Tapo H100 v1 versions prior to 1.6.1.
• Affected: TP-Link Tapo P100 v1 versions prior to 1.2.6.
• Users should update firmware immediately to patched versions.

Recommendations:

• Upgrade TP-Link Tapo H100 v1 to firmware version 1.6.1 or later.
• Upgrade TP-Link Tapo P100 v1 to firmware version 1.2.6 or later.
• Monitor network traffic for suspicious activity on affected devices.

Reference link:

• https://www.tp-link.com/en/support/faq/4949/

14. Critical RCE Vulnerabilities in Apache MINA

Overview:

• Two critical remote code execution vulnerabilities (CVE-2026-42778, CVE-2026-42779) affect Apache MINA.
• The flaws relate to improper Java object deserialization protections in IoBuffer.
• Attackers can execute arbitrary code remotely without authentication by sending crafted serialized objects.

Impact:

• CVE-2026-42778 (CVSS 9.8): An incomplete fix in IoBuffer.getObject() enables execution of malicious class static initializers before allowlist checks.
• CVE-2026-42779 (CVSS 9.8): A logic flaw in AbstractIoBuffer.resolveClass() allows bypassing the acceptMatchers filter, leading to full remote code execution.

Affected / Fixed Versions:

• Affected: Apache MINA 2.1.0 to 2.1.11 and 2.2.0 to 2.2.6
• Fixed: Apache MINA 2.1.12 or later and 2.2.7 or later

Recommendations:

• Update Apache MINA to version 2.1.12 or later, or 2.2.7 or later to mitigate these vulnerabilities.

Reference link:

• https://lists.apache.org/thread/fhlx5k91hrkgyzh7yk1nghrn3k27gxy0

15. Multiple Vulnerabilities in NVIDIA NemoClaw

Overview:

• NVIDIA released security updates for NemoClaw addressing multiple vulnerabilities including prompt injection and server-side request forgery (SSRF).

Impact:

• CVE-2026-24222 (CVSS 8.6, High): Improper access control in sandbox initialization allows remote attackers to exfiltrate host environment variables via prompt injection, causing information disclosure.
• CVE-2026-24231 (CVSS 5.9, Medium): SSRF vulnerability in validateEndpointUrl() can be exploited by supplying crafted endpoint URLs targeting the 0.0.0.0/8 range through blueprint configuration or CLI flag, potentially leading to unauthorized information disclosure.

Affected / Fixed Versions:

• Affected: All NVIDIA NemoClaw versions prior to v0.0.18 and prior to v0.0.13
• Fixed: Versions v0.0.18 and later, v0.0.13 and later

Recommendations:

• Update NVIDIA NemoClaw to version v0.0.18 or later, or v0.0.13 or later depending on the component, to mitigate these vulnerabilities.

Reference link:

• https://nvidia.custhelp.com/app/answers/detail/a_id/5837

16. Critical Vulnerabilities in MOVEit Automation

Overview:

• Progress Software disclosed two critical vulnerabilities in MOVEit Automation, a managed file transfer solution.
• CVE-2026-4670 allows authentication bypass due to improper enforcement of backend service authentication.
• CVE-2026-5174 enables privilege escalation via insufficient input validation in backend command port interfaces.

Impact:

• Attackers can bypass authentication, escalate privileges to administrative level, and access or exfiltrate sensitive data.

Affected / Fixed Versions:

• Affected: MOVEit Automation versions up to 2025.1.4, 2025.0.8, and 2024.1.7.
• Fixed: Versions 2025.1.5, 2025.0.9, and 2024.1.8.

Recommendations:

• Upgrade MOVEit Automation to the latest patched versions immediately to mitigate risks.

Reference link:

• https://community.progress.com/s/article/MOVEit-Automation-Critical-Security-Alert-Bulletin-April-2026-CVE-2026-4670-CVE-2026-5174

17. Multiple Vulnerabilities in HPE Telco Service Orchestrator

Overview:

• Multiple vulnerabilities identified in HPE Telco Service Orchestrator software could allow remote attackers to exploit stack overflow conditions, bypass authentication, or gain full system compromise.

Impact:

• CVE-2026-35554 (CVSS 8.7, High): Remote attackers can bypass authentication, leading to unauthorized access and potential full system compromise.
• CVE-2026-34500 (CVSS 6.5, Medium): May allow authentication bypass under specific conditions, exposing sensitive information or unauthorized access.
• CVE-2026-33532 (CVSS 4.3, Medium): Stack overflow vulnerability could enable attackers with low privileges to impact system availability via crafted network interactions.

Affected / Fixed Versions:

• Affected: HPE Telco Service Orchestrator versions prior to 5.6.0
• Fixed: Version 5.6.0 and later

Recommendations:

• Immediately update affected HPE Telco Service Orchestrator installations to version 5.6.0 or later to mitigate these vulnerabilities.

Reference link:

• https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05047en_us&docLocale=en_US

18. Security Updates – Mozilla Thunderbird

Overview:

• Mozilla released security updates addressing multiple vulnerabilities in Thunderbird.
• Issues include critical memory safety bugs, information disclosure, and sandbox escape.

Impact:

• Successful exploitation may result in arbitrary code execution, sensitive information disclosure, and sandbox escape allowing security boundary bypass in browser-like contexts.

Vulnerabilities:

• Critical: CVE-2026-7322 (memory safety)
• High: CVE-2026-7320 (information disclosure in Audio/Video component), CVE-2026-7323, CVE-2026-7324 (memory safety)
• Moderate: CVE-2026-7321 (sandbox escape in WebRTC Networking component)

Affected / Fixed Versions:

• Fixed in Thunderbird 150.0.1 and Thunderbird ESR 140.10.1

Recommendations:

• Update to the latest Thunderbird versions 150.0.1 or ESR 140.10.1 to mitigate these vulnerabilities.

Reference links:

• https://www.mozilla.org/en-US/security/advisories/mfsa2026-38/
• https://www.mozilla.org/en-US/security/advisories/mfsa2026-39/

19. Mozilla Patches 423 Firefox 0-Day Vulnerabilities with Claude Mythos and Other AI Models

Overview:

• In April 2026, Mozilla fixed 423 Firefox security bugs, a significant increase driven by an AI pipeline using Anthropic’s Claude Mythos Preview and other large language models.
• Firefox 150, released April 21, 2026, included 271 AI-identified fixes (180 high severity, 80 moderate, 11 low).
• Additional fixes appeared in Firefox 149.0.2, 150.0.1, and 150.0.2.
• The AI pipeline produced reproducible bug test cases, reducing false positives and enabling efficient large-scale vulnerability discovery.
• Notable bugs include a 15-year-old HTML <legend> element use-after-free, a 20-year-old XSLT engine use-after-free, critical sandbox escape vulnerabilities via IPC race conditions, and flaws evading traditional fuzzing methods.

Impact:

• Many vulnerabilities are exploitable by default user actions, such as visiting malicious web pages.
• Several bugs enable sandbox escapes, which are critical security concerns allowing compromised content processes to affect the parent process.
• Prior architecture hardening, like freezing JavaScript prototypes by default, effectively blocked some AI-discovered attack attempts.

Affected / Fixed Versions:

• Firefox versions 149.0.2, 150.0.1, and 150.0.2 include these fixes.

Recommendations:

• Users should update to the latest Firefox releases to mitigate these vulnerabilities.
• Software projects are encouraged to adopt agentic AI-assisted vulnerability discovery pipelines for ongoing security improvements.
• Organizations should consider integrating similar AI-driven approaches into CI pipelines to detect vulnerabilities in incoming code patches.

Reference link:

• https://cybersecuritynews.com/firefox-423-0-day-vulnerabilities/

20. New Linux ‘Dirty Frag’ zero-day gives root on all major distros

Overview:

• A new zero-day vulnerability named Dirty Frag affects the Linux kernel.
• It allows local attackers to escalate privileges to root using a single command.

Impact:

• Local privilege escalation leading to full system compromise.
• Affects most major Linux distributions.

Recommendations:

• Monitor for vendor patches and apply updates once available.
• Restrict local access to trusted users only until patches are released.
• Employ standard Linux security best practices to limit exploitation.

Reference link:

• https://www.bleepingcomputer.com/news/security/new-linux-dirty-frag-zero-day-with-poc-exploit-gives-root-privileges/

21. Multiple Critical Vulnerabilities Patched in Next.js and React Server Components

Overview:

• Vercel released security advisories addressing over a dozen vulnerabilities in Next.js (versions 13.x to 16.x with App Router) and React Server Components (version 19.x).
• Vulnerabilities include denial-of-service (DoS), middleware bypass, server-side request forgery (SSRF), cross-site scripting (XSS), and cache poisoning.

Impact:

• CVE-2026-23870: High-severity DoS via malformed HTTP requests exploiting React “Flight” protocol deserialization, causing excessive CPU usage.
• Middleware bypass allowing unauthorized access to protected content via specially crafted URLs.
• CVE-2026-44578: High-severity SSRF through WebSocket upgrade requests on self-hosted Node.js, exposing internal or cloud metadata endpoints; Vercel-hosted deployments not affected.
• CVE-2026-44573: Middleware bypass in Pages Router i18n with locale-less data requests exposing server-rendered JSON without authorization.
• Additional moderate and low-severity issues include XSS with CSP nonces, DoS in Image Optimization API, cache poisoning in server components and middleware redirects, and connection exhaustion DoS in cache components.

Recommendations:

• Immediately upgrade to patched versions of Next.js and React Server Components.
• Temporarily mitigate by enforcing authorization within route or page logic instead of middleware alone.
• Block WebSocket upgrade requests at reverse proxies or load balancers.
• Restrict server network egress to trusted internal networks.

Reference link:

• https://cybersecuritynews.com/next-js-react-server-vulnerabilities/

22. Canvas login portals hacked in mass ShinyHunters extortion campaign

Overview:

• The ShinyHunters extortion group exploited a vulnerability to deface Canvas login portals used by hundreds of colleges and universities.
• The incident involves education technology provider Instructure.

Impact:

• Widespread defacement of login portals, potentially disrupting access for students and staff.
• Increased risk of compromised credentials and further exploitation due to the breach.

Recommendations:

• Monitor for unusual access patterns or defacement on Canvas portals.
• Apply any available security patches or mitigations from Instructure.
• Enhance monitoring and incident response readiness for potential data compromise.

Reference link:

• https://www.bleepingcomputer.com/news/security/canvas-login-portals-hacked-in-mass-shinyhunters-extortion-campaign/

23. Ivanti customers confront yet another actively exploited zero-day

Overview:

• Ivanti disclosed CVE-2026-6973, a zero-day vulnerability in Ivanti Endpoint Manager Mobile (EPMM).
• The flaw is an improper input validation defect that allows authenticated users with administrative privileges to execute remote code.
• Ivanti also announced four additional high-severity vulnerabilities in the same product: CVE-2026-5787, CVE-2026-5788, CVE-2026-6973, and CVE-2026-7821.
• The vulnerabilities were discovered through internal detection, AI analysis, customer collaboration, and responsible disclosures.
• CVE-2026-6973 is known to be actively exploited in the wild, while the other disclosed flaws have no evidence of exploitation.

Impact:

• Successful exploitation allows remote code execution with administrative privileges.
• At least limited exploitation of CVE-2026-6973 is confirmed.
• The zero-day may be related to previous critical zero-days (CVE-2026-1281 and CVE-2026-1340) that were exploited starting in January 2026, affecting nearly 100 victims.

Affected / Fixed Versions:

• Patches addressing these vulnerabilities were released by Ivanti alongside the advisory.

Recommendations:

• Immediately apply the released patches for Ivanti EPMM.
• Customers who rotated EPMM administrative credentials after earlier advisories are at reduced risk.
• Follow Ivanti’s security recommendations and monitor for unusual activity.

Reference link:

• https://cyberscoop.com/ivanti-epmm-zero-day-vulnerability-exploited/

24. When prompts become shells: RCE vulnerabilities in AI agent frameworks

Overview:

• Microsoft discovered critical remote code execution (RCE) vulnerabilities in its open-source AI agent framework Semantic Kernel (CVE-2026-25592, CVE-2026-26030).
• The flaws arise from prompt injection attacks where malicious input manipulates AI plugins to execute arbitrary code.
• These vulnerabilities specifically affect the In-Memory Vector Store functionality used by the Search Plugin, allowing attackers to bypass filters and run shell commands like launching calc.exe.
• The root cause involves unsafe string interpolation in filter functions and ineffective blocklists that fail to detect alternate Python syntax used to evade detection.

Impact:

• Attackers with control over agent inputs can achieve host-level RCE, potentially taking over systems running vulnerable AI agents.
• Exploitation does not require memory corruption or traditional exploitation techniques, only maliciously crafted prompts.
• Systemic risk is high since Semantic Kernel is a foundational AI orchestration framework used in multiple applications.

Affected / Fixed Versions:

• Vulnerabilities have been patched in Semantic Kernel following responsible disclosure by Microsoft.

Recommendations:

• Update to the latest patched version of Semantic Kernel immediately.
• Audit AI agent integrations using Semantic Kernel or similar frameworks for exposure to prompt injection.
• Implement strict input validation and sanitization on AI plugin parameters.
• Monitor for suspicious command executions originating from AI agents.

Reference link:

• https://www.microsoft.com/en-us/security/blog/2026/05/07/prompts-become-shells-rce-vulnerabilities-ai-agent-frameworks/

25. CISA urges critical infrastructure to operate in isolation during conflicts

Overview:

• CISA is advising critical infrastructure owners to prepare for essential service delivery during extended periods of isolation from IT and third-party networks.
• The initiative, called CI Fortify, focuses on protecting operational technology (OT) that controls critical infrastructure from cyberattacks originating via business IT systems or third-party vendors.
• CISA plans targeted technical assessments tailored to different sectors, prioritizing national security, defense, public health, safety, and economic continuity.

Impact:

• State-sponsored groups, notably Chinese threat actors Salt Typhoon and Volt Typhoon, continue active targeting of critical sectors such as electricity, water, and internet services.
• Previous conflicts have demonstrated vulnerabilities in water plants, power substations, and data centers to kinetic and cyberattacks.
• Isolation reduces attack surface by disconnecting OT from IT, third-party vendors, and telecom equipment, enabling continued operation under adverse conditions.

Recommendations:

• Develop plans to maintain safe operations for weeks to months while disconnected from external networks.
• Define acceptable service levels during isolation and coordinate with critical customers on emergency service expectations.
• Back up data, document systems thoroughly, and prepare manual operational backups for use when automated systems fail.
• Engage with CISA for assessments and adopt best practices for OT security and incident recovery.

Reference link:

• https://cyberscoop.com/cisa-ci-fortify-critical-infrastructure-isolation-recovery-guidance-during-conflict/

26. MetInfo CMS CVE-2026-29014 Exploited for Remote Code Execution Attacks

Overview:

• CVE-2026-29014 is a critical unauthenticated code injection vulnerability in MetInfo CMS, an open-source content management system.
• This vulnerability allows remote attackers to execute arbitrary PHP code, leading to full system compromise.
• Threat actors are actively exploiting this flaw in the wild.

Impact:

• Remote code execution can lead to unauthorized access, data breaches, and complete server takeover.

Affected / Fixed Versions:

• Affected versions include MetInfo CMS 7.9, 8.0, and 8.1.
• Users should update to the latest patched release once available from the MetInfo development team.

Recommendations:

• Immediately apply official patches or updates addressing CVE-2026-29014.
• Implement web application firewalls and monitor for suspicious activity to detect exploitation attempts.
• Restrict access to the CMS backend and ensure server-side security best practices.

Reference link:

• https://thehackernews.com/2026/05/metinfo-cms-cve-2026-29014-exploited.html

27. Weaver E-cology RCE Flaw CVE-2026-22679 Actively Exploited via Debug API

Overview:

• A critical unauthenticated remote code execution vulnerability is actively exploited in Weaver (Fanwei) E-cology, an enterprise office automation and collaboration platform.
• The flaw resides in the “/papi/esearch/data/devops/” endpoint.
• CVSS score: 9.8.

Impact:

• Allows remote attackers to execute arbitrary code without authentication, risking full system compromise.

Affected / Fixed Versions:

• Affects Weaver E-cology versions prior to 10.0.20260312.

Recommendations:

• Immediately update to version 10.0.20260312 or later.
• Monitor network traffic for exploitation attempts targeting the vulnerable endpoint.

Reference link:

• https://thehackernews.com/2026/05/weaver-e-cology-rce-flaw-cve-2026-22679.html

28. Exploit Cyber-Frenzy Threatens Millions via Critical cPanel Vulnerability

Overview:

• A critical authentication-bypass vulnerability in cPanel was disclosed.
• Multiple proof-of-concept exploits appeared shortly after disclosure.
• At least one researcher reports ongoing zero-day exploitation activity for over a month.

Impact:

• Exploiting this flaw allows attackers to bypass authentication, potentially gaining unauthorized access to cPanel accounts.
• This could enable full server control, data theft, or server compromise at scale.

Recommendations:

• Immediate application of vendor-provided patches or mitigations.
• Monitoring of systems for signs of compromise related to this vulnerability.
• Employ additional access controls to restrict cPanel administration access.

Reference link:

• https://www.darkreading.com/threat-intelligence/exploit-cyber-frenzy-critical-cpanel-vulnerability