Threat Alerts — Critical
A live, severity-rated stream of the threats actually hitting small and medium businesses worldwide, each with the one or two actions that matter most.
Active alerts
- New Ransomware Framework Evades Nine Major Security ToolsCritical · Ransomware · 2026-07-06Researchers have found a new modular ransomware framework called Avalon that is built specifically to slip past nine security products many small businesses run day to day, including Microsoft Defender, SentinelOne, and CrowdStrike. It arrives through a spoofed legal document and shows signs of AI-assisted development. By the time its CrownX ransomware component shows a ransom note, it has already stolen credentials and disabled recovery options.
- Adobe Patches Seven Maximum-Severity ColdFusion and Campaign FlawsCritical · Vulnerability / CVE · 2026-07-03Adobe shipped patches for seven maximum-severity flaws across ColdFusion and Campaign Classic, including one CVE scored a perfect 10.0 that lets an unauthenticated attacker run code as SYSTEM. No active exploitation has been confirmed yet, but the fixes are worth applying now given how fast these bugs tend to get weaponized.
- AI Agent Runs an Entire Ransomware Attack AloneCritical · Ransomware · 2026-07-02Researchers at Sysdig say they've documented the first ransomware attack carried out end to end by an AI agent, no human at the keyboard. The agent broke into an exposed Langflow server through a year-old bug, stole cloud credentials, and encrypted a production database before leaving a ransom note. The entry point was a flaw that a patch already fixed months ago.
- Mass FortiGate Credential Theft Now Linked to RansomwareCritical · Ransomware · 2026-07-02A threat intelligence firm has tied the FortiBleed credential-harvesting campaign directly to two active ransomware operations, after finding a shared operator working negotiation panels for both groups. The campaign scanned more than 430,000 FortiGate firewalls worldwide and has already produced at least 12 ransomware deployments. If your business runs a FortiGate device, this is the moment to check whether your credentials were part of the haul.
- SimpleHelp Auth Bypass Exploited to Steal Cloud CredentialsCritical · Vulnerability / CVE · 2026-07-01A maximum-severity flaw in the SimpleHelp remote support platform is under active exploitation, letting attackers log in as a technician with no password at all. Once inside, they're deploying two new malware families that raid credentials from cloud accounts, code repositories, and AI coding tools on managed business systems.
- Kemp LoadMaster Flaw Lets Attackers Run Commands Pre-AuthCritical · Vulnerability / CVE · 2026-07-01A critical flaw in Progress Kemp LoadMaster, a load balancer appliance widely used to distribute traffic across business servers, lets an attacker run arbitrary commands with no login at all. Exploitation attempts began on June 29, and a detailed technical writeup now public is expected to accelerate the attacks.
- Critical Oracle E-Business Suite Flaw Is Under Active AttackCritical · Vulnerability / CVE · 2026-06-30Attackers are exploiting a 9.8-rated flaw in Oracle E-Business Suite that hands them control of the Payments module with no login required. Oracle patched it in May, but exposed and unpatched instances are being hit now. Any business running EBS for finance needs to confirm the fix is installed.
- Public Exploit Code Lands for Critical libssh2 SSH Client FlawCritical · Vulnerability / CVE · 2026-06-29A proof-of-concept is now public for CVE-2026-55200, a critical flaw in libssh2 that a malicious SSH server can use to corrupt memory on any client that connects to it. The library is bundled inside curl, Git, PHP, backup agents, and countless appliances, often statically linked so a normal update misses it. There is no fixed release yet. CVEs: CVE-2026-55200.
- Critical PTC Windchill Flaw Exploited to Plant Web ShellsCritical · Vulnerability / CVE · 2026-06-27Attackers are exploiting a CVSS 9.3 flaw in PTC Windchill, the product design software used across aerospace, automotive and medical manufacturing, to run code and drop web shells on exposed servers. CISA added it to its must-patch list with a 28 June federal deadline. It is the first PTC bug ever to make that catalogue.
- Three Chainable Ubiquiti UniFi Flaws Give Attackers Full Network ControlCritical · Vulnerability / CVE · 2026-06-26Three maximum-severity flaws in Ubiquiti's UniFi OS, all now on the CISA Known Exploited Vulnerabilities list, can be chained by unauthenticated attackers to gain full remote code execution. Patches were available in May; CISA is now ordering federal agencies to apply them within three days, confirming active exploitation is underway.
- CISA Warns of Active Attacks on Lantronix Industrial DevicesCritical · Vulnerability / CVE · 2026-06-25CISA has confirmed attackers are actively exploiting CVE-2025-67038, a critical flaw in Lantronix EDS5000 serial-to-IP converters that hands over root access. Federal agencies were ordered to patch by 26 June. The devices connect older industrial and building equipment to networks, so a compromise can open a path deeper inside. CVEs: CVE-2025-67038.
- Cisco Unified CM Flaw Under Active Attack After PoC PublicationCritical · Vulnerability / CVE · 2026-06-24CVE-2026-20230 is a CVSS 8.6 server-side request forgery flaw in Cisco Unified Communications Manager that lets unauthenticated attackers write arbitrary files and escalate to root. Patches arrived on 3 June 2026 but exploitation began days after a public proof-of-concept, and businesses running on-premises UCM telephony systems need to act immediately. CVEs: CVE-2026-20230.
- F5 Patches Two Critical NGINX Flaws That Allow Remote Code ExecutionCritical · Vulnerability / CVE · 2026-06-19F5 has fixed two critical vulnerabilities in NGINX, the web server and reverse proxy that sits in front of a large share of the world's websites. Either flaw can be used to run code on an affected server. There is no confirmed exploitation yet, but NGINX bugs have been attacked within days of disclosure before, and many small businesses run the software without realising it.
- FortiBleed Campaign Harvests Admin Logins From 30,000 Fortinet FirewallsCritical · Other · 2026-06-18Researchers found an attacker database holding working administrator logins for more than 30,000 internet-facing Fortinet firewalls, pulled by cracking credentials inside exposed configuration files. The victims span banks, hospitals, universities, and large companies across 194 countries. Any business running a FortiGate with old firmware or a reused admin password could be on the list.
- CISA Flags Maximum-Severity Joomla Editor Flaw as Actively ExploitedCritical · Vulnerability / CVE · 2026-06-17CISA added a CVSS 10.0 flaw in the Joomla Content Editor to its Known Exploited Vulnerabilities catalog after seeing attacks in the wild. The bug lets unauthenticated attackers upload and run PHP code on any site using a vulnerable version of the popular editor extension. US federal agencies have until June 19 to patch, and any small business running Joomla should update now.
- Critical Splunk Flaw Allows Unauthenticated Remote Code ExecutionCritical · Vulnerability / CVE · 2026-06-15A critical bug in Splunk Enterprise, CVE-2026-20253, lets an unauthenticated attacker write files and run code on the server through an exposed PostgreSQL service. Splunk Cloud is safe, but on-premise installs below versions 10.2.4 and 10.0.7 need patching fast now that exploit details are public. CVEs: CVE-2026-20253.
- Iran-Linked Handala Steals 5GB from California Water Utility, Exposes Customer DataCritical · Other · 2026-06-13The Iran-linked Handala group published 5GB of data stolen from California Water Service, covering roughly 2 million customers. The dump includes consumer PII, payment histories, and administrative credentials to the utility's GPS reference station network, raising concerns beyond consumer privacy.
- CISA Issues 3-Day Federal Patch Deadline for CVSS 10.0 Ivanti Sentry FlawCritical · Vulnerability / CVE · 2026-06-13CISA added CVE-2026-10520, a CVSS 10.0 OS command injection flaw in Ivanti Sentry, to its Known Exploited Vulnerabilities catalog and required federal agencies to patch within three days. Shadowserver warns that organisations that have not yet applied the patch are most likely already compromised. CVEs: CVE-2026-10520.
- ShinyHunters Exploits Oracle PeopleSoft Zero-Day to Breach UniversitiesCritical · Ransomware · 2026-06-12The ShinyHunters extortion crew exploited a critical Oracle PeopleSoft zero-day (CVE-2026-35273) to steal data from more than 100 organizations, most of them US universities. The bug scores 9.8, needs no login, and was unpatched while attacks ran. Any business running PeopleSoft with internet-facing management endpoints is exposed. CVEs: CVE-2026-35273.
- Windows BitLocker Bypass and Two SYSTEM Escalations Patched This WeekCritical · Vulnerability / CVE · 2026-06-11Microsoft's June 2026 patch cycle included three named zero-day vulnerabilities: YellowKey bypasses BitLocker in Windows Recovery Mode, while GreenPlasma and MiniPlasma both grant SYSTEM-level access on fully patched Windows 11 and Windows Server systems. None were exploited in the wild before patching.
- Critical Unauthenticated RCE Flaws Patched in Ivanti Sentry and FortiSandboxCritical · Vulnerability / CVE · 2026-06-10Ivanti and Fortinet patched critical unauthenticated remote code execution flaws in security appliances on June 10. Ivanti's CVE-2026-10520 scores the maximum CVSS 10 and allows root code execution on Sentry gateways without credentials. Fortinet's CVE-2026-25089 (CVSS 9.8) does the same to FortiSandbox. Neither is actively exploited yet, but Ivanti appliances have historically been targeted within days of similar advisories. CVEs: CVE-2026-10520, CVE-2026-25089.
- SAP Patches Critical NetWeaver Flaws Including CVSS 9.9 Authentication BypassCritical · Vulnerability / CVE · 2026-06-10SAP's June 2026 security update patches 15 vulnerabilities including four rated critical. CVE-2026-44748 (CVSS 9.9) lets an authenticated attacker bypass SAML authentication in SAP NetWeaver. CVE-2026-27671 (CVSS 9.8) allows unauthenticated remote code execution via crafted RFC requests to the ABAP Application Server. CVEs: CVE-2026-44748, CVE-2026-27671.
- Microsoft Patches 200 Windows Vulnerabilities in June 2026 Patch TuesdayCritical · Vulnerability / CVE · 2026-06-09Microsoft's June 2026 Patch Tuesday resolves 200 vulnerabilities, 33 of them Critical. Three publicly disclosed zero-days are included targeting Windows CTFMON, HTTP.sys, and BitLocker. For businesses running Windows, the most dangerous patches this cycle cover Remote Desktop Client, Microsoft Office, and Kerberos authentication.
- Critical Veeam Backup Flaw Gives Domain Users Remote Code ExecutionCritical · Ransomware · 2026-06-09Veeam patched CVE-2026-44963 in Backup and Replication today, a 9.4 CVSS flaw that lets any domain user execute code on backup servers running version 12. No active exploitation yet, but ransomware groups target Veeam backup infrastructure to disable recovery before deploying ransomware. The fixed version is 12.3.2.4854. CVEs: CVE-2026-44963.
- Check Point VPN Zero-Day Exploited by Qilin Ransomware in Active Global CampaignCritical · Ransomware · 2026-06-08A critical authentication bypass in Check Point's Remote Access VPN is under active exploitation, with a confirmed Qilin ransomware affiliate using it to enter networks without credentials. The flaw, CVE-2026-50751, affects Spark firewalls marketed to SMBs and managed service providers. Patches were released June 8. CVEs: CVE-2026-50751.
- Critical WordPress Plugin Flaw Used to Backdoor Over 100,000 Business SitesCritical · Vulnerability / CVE · 2026-06-08A 9.8 CVSS vulnerability in the Everest Forms Pro WordPress plugin has been exploited since April 13, allowing unauthenticated attackers to inject PHP code, create admin accounts, and install backdoors. Over 100,000 business sites use the plugin. A patch has been available since March.
- New Ransomware Group 'Viperwave' Hits Professional Services Firms Across 14 CountriesCritical · Ransomware · 2026-06-06A newly identified ransomware group, Viperwave, has claimed responsibility for attacks on professional services firms across 14 countries. The group skips encryption entirely in favour of data exfiltration and targets businesses with 10–200 employees.