Ticker feed

CISA has added CVE-2022-0492, a Linux kernel privilege escalation flaw, to its Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild. The vulnerability targets the cgroups v1 release_agent feature, allowing attackers to execute arbitrary commands with root-level access — and potentially break out of containerized environments entirely.

It's especially dangerous in cloud-native setups where containers rely on cgroups for resource isolation. Federal agencies must patch by June 5, 2026. Other organizations should move fast too — fixes include updating the kernel, disabling unprivileged user namespaces, and auditing container configurations for suspicious cgroup activity.

Source: Cybersecurity News

CISA is urging federal agencies to patch a critical vulnerability in the Mirasvit Full Page Cache Warmer extension for Magento 2 within three days. The flaw, CVE-2026-45247, carries a near-perfect CVSS score of 9.8 and requires no authentication to exploit.

Attackers inject malicious PHP objects through the CacheWarmer cookie, which escalates to full remote code execution on Magento and Adobe Commerce servers. Imperva reports active exploitation began shortly after public disclosure on May 26. Thousands of stores are at risk — any running a version before 1.11.12 should update immediately.

Source: SecurityWeek

CISA added a critical SolarWinds Serv-U flaw, CVE-2026-28318, to its Known Exploited Vulnerabilities catalog on June 5, 2026, with a remediation deadline of June 19 for federal agencies.

The vulnerability lets unauthenticated attackers crash Serv-U file transfer software remotely by sending a malicious POST request with a Content-Encoding: deflate header — no credentials required. That zero-privilege, network-accessible attack path makes it especially dangerous for organizations with Serv-U exposed to the internet.

SolarWinds has released a fix in version 15.5.4 Hotfix 1. All organizations should patch immediately, restrict Serv-U exposure behind a firewall or VPN, and monitor logs for suspicious POST requests.

Source: Cybersecurity News

A critical vulnerability in the Everest Forms Pro WordPress plugin is under active attack, with over 29,300 exploitation attempts blocked since April 13, 2026. The flaw, CVE-2026-3300, scores a near-perfect 9.8 on the CVSS scale and affects all versions up to 1.9.12.

The bug lives in the plugin's "Complex Calculation" feature, where user inputs are passed directly into PHP's eval() function without proper sanitization. Attackers don't need credentials — they just submit a crafted form field. Most attacks aim to create rogue admin accounts, with one common payload creating a user named "diksimarina."

A patch (version 1.9.13) has been available since March 18. Update immediately.

Source: Cybersecurity News

A debug setting accidentally left enabled in production releases of six Microsoft Android apps — Word, Excel, PowerPoint, OneNote, Loop, and 365 Copilot — exposed users to potential account takeover at massive scale. Researchers at Enclave found the flaw disabled a security check that prevents untrusted apps from grabbing Microsoft authentication tokens.

Any malicious Android app could silently request and receive login tokens, giving attackers access to emails, Teams messages, and files. Worse, the stolen tokens were long-lived FOCI tokens that blend in with normal traffic, making detection nearly impossible. Microsoft has since patched all six apps across CVEs CVE-2026-41100 through CVE-2026-42832.

Source: Dark Reading

Bedfordshire Hospitals NHS Foundation Trust has revealed that personal data belonging to 32,927 patients was stolen and published online following a ransomware attack in June 2024. The breach hit a third-party supplier serving multiple healthcare organisations, and the stolen files — covering patients who had lab or diagnostic results between 2011 and 2020 — were later posted on dark web forums.

It took specialists over a year to piece together the fragmented, unstructured data before the trust could confirm what was taken. Exposed information may include names, dates of birth, NHS numbers, postcodes, and test results. The trust says there's no evidence the data has been misused, but is urging affected patients to stay alert to suspicious communications.

Source: BBC News

Kali365, a phishing-as-a-service platform the FBI warned about last month, has grown far more dangerous. Originally built to bypass MFA on Microsoft 365 accounts, it now targets AWS, Okta, Xerox DocuShare, and a range of Russian platforms — including MAX Messenger, a Kremlin-backed messaging app with over 80 million users.

Arctic Wolf researchers mapped 126 active malicious hosts operating between early and late May, all running the same kit. Kali365 exploits device code phishing, tricking victims into completing authentication on the attacker's behalf — making MFA useless. At least 14 similar kits are now circulating, and the threat is accelerating.

Source: Dark Reading

Hackers targeted Red Hat's NPM repository Monday, publishing malicious versions of 32 packages in just 72 seconds — almost certainly automated. The poisoned packages span Red Hat's entire Hybrid Cloud Console JavaScript ecosystem, with nearly 10 million collective downloads combined.

The malware, linked to a worm called "Mini Shai-Hulud" from hacking group TeamPCP, harvests GitHub secrets, cloud credentials, SSH keys, Kubernetes material, and more — then exfiltrates everything to attacker-controlled servers. At least 210 repositories containing stolen credentials have already been identified.

Red Hat has published clean versions of all 32 packages. Anyone who installed a compromised version should treat their environment as breached and rotate all credentials immediately.

Source: SecurityWeek

A security flaw in Palo Alto Networks' PAN-OS GlobalProtect VPN, tracked as CVE-2026-0257, is being actively exploited — and organizations running unpatched systems are at real risk. Attackers are forging authentication cookies to impersonate legitimate users and gain VPN access without valid credentials.

Palo Alto patched the flaw in May, but Rapid7 confirmed successful exploitation across multiple customer environments as early as May 17. CISA added it to its Known Exploited Vulnerabilities catalog on May 29. Despite a "medium" CVSS score of 7.8, researchers stress it should be treated as critical — an unauthenticated admin VPN session into your internal network is serious. Patch immediately.

Source: Dark Reading

A Russian state-linked worm tied to the FSB's Gamaredon group is targeting Ukrainian government, military, and critical infrastructure — and it's remarkably hard to detect. Security firm Sekoia reconstructed an active infection chain first spotted in January 2026 that starts with a booby-trapped xHTML file, exploits a WinRAR path traversal flaw (CVE-2025-8088), and drops a hidden HTA file that runs on next login.

The worm, dubbed GammaWorm, hides its modules in NTFS Alternate Data Streams — a native Windows feature that leaves no visible trace in directory listings. It spreads via USB drives and network shares, pulls C2 addresses from Telegram and Cloudflare, and loops indefinitely as a backdoor. Sekoia recommends a full system wipe for infected machines and updating WinRAR to version 7.13 or later.

Source: Infosecurity Magazine