Threat Alerts — Vulnerability / CVE
A live, severity-rated stream of the threats actually hitting small and medium businesses worldwide, each with the one or two actions that matter most.
Active alerts
- New Bad Epoll Flaw Turns Any Linux User Into RootHigh · Vulnerability / CVE · 2026-07-06A newly disclosed Linux kernel bug called Bad Epoll lets a normal user account jump straight to root, and it works on desktops, servers, and some Android phones. A public proof-of-concept reaches root about 99% of the time on tested systems, though there's no sign yet that real attackers have picked it up. A patch exists, but epoll can't simply be switched off.
- Unpatched Flaws Found in Filesystem Used in Millions of DevicesWatch · Vulnerability / CVE · 2026-07-06Security firm runZero has disclosed seven vulnerabilities in FatFs, a small filesystem library buried inside security cameras, drones, industrial controllers, and hardware crypto wallets. On the worst-affected devices, a booby-trapped USB drive or SD card can hand over full control. The lone maintainer hasn't responded, so most fixes now depend on individual device vendors.
- Adobe Patches Seven Maximum-Severity ColdFusion and Campaign FlawsCritical · Vulnerability / CVE · 2026-07-03Adobe shipped patches for seven maximum-severity flaws across ColdFusion and Campaign Classic, including one CVE scored a perfect 10.0 that lets an unauthenticated attacker run code as SYSTEM. No active exploitation has been confirmed yet, but the fixes are worth applying now given how fast these bugs tend to get weaponized.
- CISA Sets July 4 Deadline for SharePoint RCE FlawHigh · Vulnerability / CVE · 2026-07-02CISA has added a Microsoft SharePoint flaw to its list of vulnerabilities under active attack, giving federal agencies until July 4 to patch it. The bug lets any logged-in user with basic site permissions run code on the server, no admin access needed, and Microsoft already shipped the fix back in May. If you run SharePoint Server on-premises, this is a today problem.
- SimpleHelp Auth Bypass Exploited to Steal Cloud CredentialsCritical · Vulnerability / CVE · 2026-07-01A maximum-severity flaw in the SimpleHelp remote support platform is under active exploitation, letting attackers log in as a technician with no password at all. Once inside, they're deploying two new malware families that raid credentials from cloud accounts, code repositories, and AI coding tools on managed business systems.
- Kemp LoadMaster Flaw Lets Attackers Run Commands Pre-AuthCritical · Vulnerability / CVE · 2026-07-01A critical flaw in Progress Kemp LoadMaster, a load balancer appliance widely used to distribute traffic across business servers, lets an attacker run arbitrary commands with no login at all. Exploitation attempts began on June 29, and a detailed technical writeup now public is expected to accelerate the attacks.
- Critical Oracle E-Business Suite Flaw Is Under Active AttackCritical · Vulnerability / CVE · 2026-06-30Attackers are exploiting a 9.8-rated flaw in Oracle E-Business Suite that hands them control of the Payments module with no login required. Oracle patched it in May, but exposed and unpatched instances are being hit now. Any business running EBS for finance needs to confirm the fix is installed.
- Apple Patches Three Dozen Flaws, Some Found by AI ToolsWatch · Vulnerability / CVE · 2026-06-30Apple's latest round of updates fixes more than 30 security bugs across iPhone, iPad, Mac, and Safari, including four in the WebKit browser engine. Some of the flaws were uncovered with help from AI tools. None are known to be under attack yet, which makes this the easy kind of update to install before it matters.
- Public Exploit Code Lands for Critical libssh2 SSH Client FlawCritical · Vulnerability / CVE · 2026-06-29A proof-of-concept is now public for CVE-2026-55200, a critical flaw in libssh2 that a malicious SSH server can use to corrupt memory on any client that connects to it. The library is bundled inside curl, Git, PHP, backup agents, and countless appliances, often statically linked so a normal update misses it. There is no fixed release yet. CVEs: CVE-2026-55200.
- Public Exploit Turns a Linux Kernel Flaw Into Instant RootHigh · Vulnerability / CVE · 2026-06-28A new Linux kernel flaw, CVE-2026-46331 or 'pedit COW', lets any logged-in user become root, and a working exploit went public within a day of the patch. It corrupts a cached copy of a system binary in memory, so file-integrity tools see nothing wrong. Shared servers, CI runners, and Kubernetes nodes are the systems most at risk. CVEs: CVE-2026-46331.
- Critical PTC Windchill Flaw Exploited to Plant Web ShellsCritical · Vulnerability / CVE · 2026-06-27Attackers are exploiting a CVSS 9.3 flaw in PTC Windchill, the product design software used across aerospace, automotive and medical manufacturing, to run code and drop web shells on exposed servers. CISA added it to its must-patch list with a 28 June federal deadline. It is the first PTC bug ever to make that catalogue.
- Amazon Q Flaw Let Malicious Repos Steal Cloud Credentials SilentlyHigh · Vulnerability / CVE · 2026-06-27A flaw in Amazon Q Developer, Amazon's AI coding assistant, let a booby-trapped code repository run commands the moment a developer opened it, with no prompt and no click. The payload could lift live AWS keys and cloud tokens straight off the machine. Amazon has patched it, but the lesson about auto-running AI config files is bigger than one tool.
- Three Chainable Ubiquiti UniFi Flaws Give Attackers Full Network ControlCritical · Vulnerability / CVE · 2026-06-26Three maximum-severity flaws in Ubiquiti's UniFi OS, all now on the CISA Known Exploited Vulnerabilities list, can be chained by unauthenticated attackers to gain full remote code execution. Patches were available in May; CISA is now ordering federal agencies to apply them within three days, confirming active exploitation is underway.
- CISA Warns of Active Attacks on Lantronix Industrial DevicesCritical · Vulnerability / CVE · 2026-06-25CISA has confirmed attackers are actively exploiting CVE-2025-67038, a critical flaw in Lantronix EDS5000 serial-to-IP converters that hands over root access. Federal agencies were ordered to patch by 26 June. The devices connect older industrial and building equipment to networks, so a compromise can open a path deeper inside. CVEs: CVE-2025-67038.
- Cisco SD-WAN Bug Was Exploited as a Zero-Day for MonthsHigh · Vulnerability / CVE · 2026-06-25Mandiant says an unknown attacker exploited a Cisco Catalyst SD-WAN flaw, CVE-2026-20245, for at least two months before it was public, using it to take full root control of a network device. The attacker created a hidden admin account and then erased their own tracks. Any business running Cisco SD-WAN edge gear should run the checks below and confirm the patch is applied. CVEs: CVE-2026-20245.
- Cisco Unified CM Flaw Under Active Attack After PoC PublicationCritical · Vulnerability / CVE · 2026-06-24CVE-2026-20230 is a CVSS 8.6 server-side request forgery flaw in Cisco Unified Communications Manager that lets unauthenticated attackers write arbitrary files and escalate to root. Patches arrived on 3 June 2026 but exploitation began days after a public proof-of-concept, and businesses running on-premises UCM telephony systems need to act immediately. CVEs: CVE-2026-20230.
- Squidbleed (CVE-2026-47729): A 29-Year Memory Leak in Squid Proxy Exposes CredentialsWatch · Vulnerability / CVE · 2026-06-23CVE-2026-47729, nicknamed Squidbleed, is a memory leak in Squid Proxy's FTP parser that has sat undetected since 1997. In shared proxy environments, it can expose authentication credentials, session tokens, and API keys from one user's HTTP session to another. A patch is available in Squid 7.6, released June 2026. CVEs: CVE-2026-47729.
- Microsoft Discloses AutoJack Attack That Turns AI Agents Into Code Execution ToolsHigh · Vulnerability / CVE · 2026-06-21Microsoft security researchers have identified a technique called AutoJack that uses a malicious web page to hijack AI browsing agents and execute code on the host machine, with no user credentials or additional interaction required. As businesses deploy AI agents to handle tasks autonomously, AutoJack represents a new attack surface that sits outside the scope of traditional patching. No active exploitation has been confirmed, but the attack does not rely on any single software vulnerability and could emerge in any AI agent capable of browsing the web.
- WordPress Email Plugin Flaw Leaks API Keys From 100,000 SitesWatch · Vulnerability / CVE · 2026-06-20Attackers are actively exploiting a flaw in Gravity SMTP, a WordPress plugin on roughly 100,000 sites, that hands unauthenticated visitors the site's API keys, secrets, and email credentials. Wordfence has blocked more than 17 million exploit attempts. Sites running an old version should assume their connected email accounts are compromised.
- Hackers Hit Mexican Agencies Using Old Fortinet and Ivanti BugsHigh · Vulnerability / CVE · 2026-06-20Researchers at CloudSEK uncovered Operation Escaneo, an intrusion campaign that breached Mexican government bodies, banks, and utilities by exploiting known Fortinet and Ivanti VPN flaws. The attackers stole over 1.3 million personal records and mapped internal networks. Every flaw they used already had a patch, which is the uncomfortable part for smaller firms running the same gear.
- F5 Patches Two Critical NGINX Flaws That Allow Remote Code ExecutionCritical · Vulnerability / CVE · 2026-06-19F5 has fixed two critical vulnerabilities in NGINX, the web server and reverse proxy that sits in front of a large share of the world's websites. Either flaw can be used to run code on an affected server. There is no confirmed exploitation yet, but NGINX bugs have been attacked within days of disclosure before, and many small businesses run the software without realising it.
- Windows Defender Zero-Day Gives Attackers SYSTEM Access, Patch PendingHigh · Vulnerability / CVE · 2026-06-18Microsoft has confirmed a zero-day in Windows Defender, tracked as CVE-2026-50656 and nicknamed RoguePlanet, that lets a logged-in attacker jump to full SYSTEM control. A public proof-of-concept already works on fully patched Windows 10 and 11, whether or not real-time protection is switched on. Microsoft is still writing the fix and has not given a release date. CVEs: CVE-2026-50656.
- CISA Flags Maximum-Severity Joomla Editor Flaw as Actively ExploitedCritical · Vulnerability / CVE · 2026-06-17CISA added a CVSS 10.0 flaw in the Joomla Content Editor to its Known Exploited Vulnerabilities catalog after seeing attacks in the wild. The bug lets unauthenticated attackers upload and run PHP code on any site using a vulnerable version of the popular editor extension. US federal agencies have until June 19 to patch, and any small business running Joomla should update now.
- One-Click Microsoft 365 Copilot Flaw Could Have Leaked Emails and FilesWatch · Vulnerability / CVE · 2026-06-17Researchers chained three bugs in Microsoft 365 Copilot Enterprise Search into a one-click attack that could pull a victim's emails, calendar, and indexed files using only a trusted microsoft.com link. Microsoft assigned CVE-2026-42824, rated it critical, and has already fixed it on its own servers, so there is nothing for customers to patch. No real-world attacks were seen, but the technique shows how AI assistants reopen old web flaws. CVEs: CVE-2026-42824.
- Attackers Exploit Three FortiSandbox Flaws Rated CVSS 9.1High · Vulnerability / CVE · 2026-06-17Threat intelligence firm Defused Cyber says attackers spent the past day probing three FortiSandbox vulnerabilities, each rated CVSS 9.1, that let unauthenticated attackers bypass authentication or run commands on the appliance. Two were patched in April and one only last week. Any business running FortiSandbox should confirm it is on the latest firmware now.
- Web Hosting Plugin Flaw Lets Attackers Seize Root on Shared ServersHigh · Vulnerability / CVE · 2026-06-16CISA has flagged CVE-2026-54420, a flaw in the LiteSpeed cPanel plugin that lets an attacker with basic FTP or web shell access escalate to root on shared hosting servers. Because one server holds many small business websites, a single compromise can expose every site on the box. Hosting customers should confirm their provider has patched. CVEs: CVE-2026-54420.
- Cisco Patches Exploited SD-WAN Manager Flaw That Grants Root AccessWatch · Vulnerability / CVE · 2026-06-16Cisco has patched CVE-2026-20262, a flaw in Catalyst SD-WAN Manager already under active attack, after intruders used it to overwrite files and gain root on the system that runs corporate networks. CISA added it to its Known Exploited Vulnerabilities catalog with a June 29 deadline for federal agencies. Any business whose network is managed through Cisco SD-WAN should patch now. CVEs: CVE-2026-20262.
- Palo Alto GlobalProtect VPN Flaw Exploited in the WildHigh · Vulnerability / CVE · 2026-06-15Palo Alto Networks confirmed attackers are exploiting CVE-2026-0257, an authentication bypass in the GlobalProtect VPN portal, to set up unauthorised VPN sessions. CISA has ordered federal agencies to fix it, and any business running PAN-OS firewalls should patch now. CVEs: CVE-2026-0257.
- Critical Splunk Flaw Allows Unauthenticated Remote Code ExecutionCritical · Vulnerability / CVE · 2026-06-15A critical bug in Splunk Enterprise, CVE-2026-20253, lets an unauthenticated attacker write files and run code on the server through an exposed PostgreSQL service. Splunk Cloud is safe, but on-premise installs below versions 10.2.4 and 10.0.7 need patching fast now that exploit details are public. CVEs: CVE-2026-20253.
- CISA Issues 3-Day Federal Patch Deadline for CVSS 10.0 Ivanti Sentry FlawCritical · Vulnerability / CVE · 2026-06-13CISA added CVE-2026-10520, a CVSS 10.0 OS command injection flaw in Ivanti Sentry, to its Known Exploited Vulnerabilities catalog and required federal agencies to patch within three days. Shadowserver warns that organisations that have not yet applied the patch are most likely already compromised. CVEs: CVE-2026-10520.
- Chrome 149 Fixes 5 Critical Flaws as Google's 2026 Patch Volume Hits 700High · Vulnerability / CVE · 2026-06-13Google released Chrome 149 with fixes for 28 vulnerabilities, five rated critical, including use-after-free bugs in Core and WebMIDI and a GPU heap buffer overflow. No confirmed exploitation has been reported, but use-after-free flaws in browsers have a history of being weaponised quickly after details become public.
- Researchers Trick OpenClaw AI Agent Into Running Code and Leaking DataHigh · Vulnerability / CVE · 2026-06-12Two research teams showed the self-hosted OpenClaw AI agent can be driven to run attacker code or hand over sensitive data through ordinary inputs like a shared contact or a single email. One flaw is patched. The other is a design problem no patch fixes. Businesses adopting AI agents should limit what those agents can do on their own.
- Exchange Server XSS Flaw CVE-2026-42897 Exploited for Weeks Before PatchHigh · Vulnerability / CVE · 2026-06-11Microsoft's June 2026 patches fix CVE-2026-42897, an XSS flaw in Exchange Server's Outlook Web Access that attackers have exploited since mid-May. On-premises Exchange running Server SE, 2016, or 2019 needs the update now. CVEs: CVE-2026-42897.
- Windows BitLocker Bypass and Two SYSTEM Escalations Patched This WeekCritical · Vulnerability / CVE · 2026-06-11Microsoft's June 2026 patch cycle included three named zero-day vulnerabilities: YellowKey bypasses BitLocker in Windows Recovery Mode, while GreenPlasma and MiniPlasma both grant SYSTEM-level access on fully patched Windows 11 and Windows Server systems. None were exploited in the wild before patching.
- Critical Unauthenticated RCE Flaws Patched in Ivanti Sentry and FortiSandboxCritical · Vulnerability / CVE · 2026-06-10Ivanti and Fortinet patched critical unauthenticated remote code execution flaws in security appliances on June 10. Ivanti's CVE-2026-10520 scores the maximum CVSS 10 and allows root code execution on Sentry gateways without credentials. Fortinet's CVE-2026-25089 (CVSS 9.8) does the same to FortiSandbox. Neither is actively exploited yet, but Ivanti appliances have historically been targeted within days of similar advisories. CVEs: CVE-2026-10520, CVE-2026-25089.
- OpenSSL Patches High-Severity Heap Flaw Affecting TLS Servers and EmailHigh · Vulnerability / CVE · 2026-06-10OpenSSL patched 18 vulnerabilities this week, including CVE-2026-45447, a high-severity heap use-after-free flaw in PKCS#7 signature verification that can corrupt server memory and in some conditions enable remote code execution. OpenSSL is the TLS library behind most web servers, VPN endpoints, and email systems. Linux package managers will ship the fix, but self-managed servers and appliances with bundled OpenSSL need manual attention. CVEs: CVE-2026-45447.
- Google Patches Actively Exploited Chrome V8 Zero-DayHigh · Vulnerability / CVE · 2026-06-10Google released emergency patches for CVE-2026-11645, an out-of-bounds flaw in Chrome's V8 JavaScript engine confirmed as exploited in the wild. An attacker can run arbitrary code on a victim's machine by getting them to visit a crafted web page. This is the fifth Chrome zero-day patched in 2026. CVEs: CVE-2026-11645.
- SAP Patches Critical NetWeaver Flaws Including CVSS 9.9 Authentication BypassCritical · Vulnerability / CVE · 2026-06-10SAP's June 2026 security update patches 15 vulnerabilities including four rated critical. CVE-2026-44748 (CVSS 9.9) lets an authenticated attacker bypass SAML authentication in SAP NetWeaver. CVE-2026-27671 (CVSS 9.8) allows unauthenticated remote code execution via crafted RFC requests to the ABAP Application Server. CVEs: CVE-2026-44748, CVE-2026-27671.
- Microsoft Patches 200 Windows Vulnerabilities in June 2026 Patch TuesdayCritical · Vulnerability / CVE · 2026-06-09Microsoft's June 2026 Patch Tuesday resolves 200 vulnerabilities, 33 of them Critical. Three publicly disclosed zero-days are included targeting Windows CTFMON, HTTP.sys, and BitLocker. For businesses running Windows, the most dangerous patches this cycle cover Remote Desktop Client, Microsoft Office, and Kerberos authentication.
- Critical WordPress Plugin Flaw Used to Backdoor Over 100,000 Business SitesCritical · Vulnerability / CVE · 2026-06-08A 9.8 CVSS vulnerability in the Everest Forms Pro WordPress plugin has been exploited since April 13, allowing unauthenticated attackers to inject PHP code, create admin accounts, and install backdoors. Over 100,000 business sites use the plugin. A patch has been available since March.