CVE-2026-20262: CISCO Catalyst SD-WAN Flaw Under Active Targeted Exploitation
Security Affairs
Actively Exploited
Cisco has issued a warning about a vulnerability in its Catalyst SD-WAN Manager, designated CVE-2026-20262. This flaw allows attackers to write arbitrary files through the web interface, potentially compromising the system's integrity. Cisco confirmed that this vulnerability is currently being actively exploited, which raises significant concerns for organizations using affected systems. The vulnerability has a CVSS score of 6.5, indicating a moderate level of risk. Companies utilizing the Catalyst SD-WAN Manager should prioritize assessing their systems for this vulnerability and implement necessary security measures to protect against potential attacks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about an actively exploited vulnerability in the LiteSpeed cPanel user-end plugin, identified as CVE-2026-54420. This flaw poses a significant risk to U.S. government servers, prompting CISA to give agencies just three days to secure their systems. Attackers can exploit this vulnerability to gain unauthorized access, which could lead to data breaches or other malicious activities. The urgency of the warning highlights the need for prompt action to protect sensitive information and maintain system integrity. Agencies are advised to take immediate steps to patch their systems against this threat.
Cisco has issued security updates to address a medium-severity vulnerability in its Catalyst SD-WAN Manager, previously known as SD-WAN vManage. The flaw, identified as CVE-2026-20262, has a CVSS score of 6.5 and has been reported as actively exploited in the wild. This vulnerability affects the web user interface, allowing authenticated remote attackers to create files, which could lead to further compromise of the system. Given that this software is widely used for managing SD-WAN deployments, organizations utilizing this product should prioritize applying the latest updates to mitigate potential risks. The active exploitation of this flaw emphasizes the importance of maintaining up-to-date security measures in network management solutions.
A threat actor has been exploiting a vulnerability in Marimo notebooks, specifically CVE-2026-39987, to gain unauthorized access. After taking control of a publicly accessible notebook, the attacker utilized a large language model (LLM) agent to carry out further actions. They extracted cloud credentials from the compromised system, which could potentially lead to additional breaches or data leaks. This incident raises concerns for organizations using Marimo products, as it demonstrates how quickly attackers can adapt and use advanced tools for post-exploitation activities. Companies must remain vigilant and ensure their systems are secured against such vulnerabilities.
Hackers are exploiting a vulnerability in FortiClient Enterprise Management Server (EMS), identified as CVE-2026-35616, which allows them to bypass authentication. This flaw is being used to deliver a credential-stealing malware known as EKZ. Organizations using FortiClient EMS are at risk, as attackers can gain unauthorized access to sensitive information through this exploit. The situation is concerning since the malware targets credentials, potentially leading to further data breaches. Companies should prioritize patching this vulnerability to protect their systems and data from compromise.
A serious vulnerability has been found in Gogs, a widely used open-source Git service that allows users to host their own repositories. This flaw, which has a CVSS score of 9.4, enables any authenticated user to execute arbitrary code, potentially giving them full control over the server. This means that individuals with valid access can exploit this weakness to run malicious commands, posing a significant risk to the integrity and security of the affected systems. Currently, there is no CVE identifier linked to this vulnerability, which may complicate tracking and response efforts. Users of Gogs should be particularly vigilant and consider implementing immediate security measures to mitigate potential exploitation.
CVE-2026-35616: FortiClient EMS Flaw Actively Exploited in Malware Attacks
Security Affairs
Actively Exploited
A recently identified vulnerability in FortiClient Endpoint Management Server (EMS), tracked as CVE-2026-35616, is being actively exploited to deploy information-stealing malware, according to a report from Arctic Wolf. This flaw has a high severity rating of 9.1 and allows attackers to execute remote code without needing authentication, making it particularly dangerous. Organizations using FortiClient EMS should be on high alert as the vulnerability can be exploited through specially crafted requests. The vulnerability was patched in April, but the ongoing exploitation highlights the importance of timely updates and monitoring for suspicious activity. Companies must ensure they have applied the latest patches to protect their systems from these attacks.
Recent research indicates that attackers are increasingly using artificial intelligence to speed up the development of exploits for known vulnerabilities, specifically CVEs (Common Vulnerabilities and Exposures). This advancement allows malicious actors to create working exploits much faster than traditional methods, making it harder for security scanners to detect and mitigate these threats in a timely manner. As a result, organizations could be at greater risk of attacks that exploit these vulnerabilities before they have a chance to be patched. The implications are significant, as it suggests a need for companies to enhance their security measures and stay ahead of evolving tactics used by attackers. Users and organizations must remain vigilant and proactive in addressing vulnerabilities to protect their systems from potential exploitation.
Researchers have identified a serious vulnerability in Gitea, an open-source platform used for version control, that allows unauthorized users to access private container images. This flaw, labeled CVE-2026-27771, impacts all versions of Gitea prior to 1.26.2. Attackers can exploit this weakness without needing any credentials, which could lead to unauthorized access to sensitive data stored in container images. Given the nature of Gitea as a self-hosted solution, organizations using outdated versions are particularly at risk. It’s crucial for users to update their installations to the latest version to safeguard their private resources.
Microsoft has identified a serious vulnerability in SharePoint, labeled CVE-2026-45659, which has a CVSS score of 8.8. This flaw allows attackers to execute remote code with minimal effort, posing a significant risk to organizations using the platform. The vulnerability does not require complicated conditions for exploitation, which increases its potential impact. Microsoft has released security updates to address this issue, and users are strongly advised to apply these patches as soon as possible to protect their systems. Ignoring this vulnerability could lead to unauthorized access and control over affected SharePoint environments.
A serious vulnerability in Universal Robots' PolyScope operating system has been identified, allowing potential attackers to execute commands remotely. This flaw, tracked as CVE-2026-8153, has a high severity rating of 9.8, indicating a significant risk. It affects all versions of PolyScope software prior to 5.25.1, which means any users operating older versions are at risk. The ability for remote command execution could enable unauthorized access to connected systems, posing a threat to operational security. Users and organizations utilizing Universal Robots' systems need to take immediate action to update their software to the latest version to mitigate this risk.
A zero-day vulnerability identified as CVE-2026-5426 has been discovered in a Japanese Learning Management System (LMS). This security flaw arises from the use of hard-coded ASP.NET machine keys, which attackers can exploit to deploy Cobalt Strike, a popular penetration testing tool that can also be used for malicious purposes. The exploitation of this vulnerability poses significant risks to educational institutions and organizations using the LMS, potentially allowing unauthorized access to sensitive information and systems. Users of the affected LMS should take immediate steps to secure their systems to prevent potential intrusions.
A new zero-click attack has been discovered that targets WhatsApp accounts on devices running iOS 16. This attack takes advantage of vulnerabilities in the ImageIO framework, specifically identified as CVE-2025-43300, and potentially CVE-2025-55177. By exploiting these flaws, attackers can gain unauthorized access to WhatsApp sessions without any user interaction. This is particularly concerning for users of iOS 16, as it opens the door for unauthorized access to private messages and data. Users should remain vigilant and consider updating their devices as soon as patches are available to mitigate this risk.
Trend Micro has reported a serious security vulnerability in its Apex One platform, identified as CVE-2026-34926. This flaw allows for a directory path traversal, which means attackers could potentially access files and directories outside the intended scope. The company has confirmed that this vulnerability is being actively exploited in the wild, with at least one confirmed incident. Organizations using the Apex One platform are at risk, which makes it crucial for them to act quickly. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding this vulnerability, urging affected users to take immediate action to protect their systems.
Microsoft has patched a serious remote code execution vulnerability in SharePoint, identified as CVE-2026-45659. This flaw impacts SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. The vulnerability arises from the way SharePoint handles untrusted data, allowing an authenticated attacker to execute code on a vulnerable server without requiring any user interaction. The simplicity of the attack makes it particularly concerning, as it poses a risk to organizations using these versions of SharePoint. Companies should prioritize applying the patches to safeguard their systems from potential exploitation.