Mozilla has fixed a total of 423 Firefox security bugs in April 2026 alone, a figure nearly 20 times higher than its monthly average of about 21 bugs throughout 2025, driven by a groundbreaking agentic AI pipeline built around Anthropic’s Claude Mythos Preview and other large language models.

The surge was triggered by Mozilla’s early access to Claude Mythos Preview, which identified 271 of the 423 vulnerabilities fixed in April.

These were primarily shipped as part of Firefox 150, released on April 21, 2026, with additional fixes flowing into Firefox 149.0.2, 150.0.1, and 150.0.2. Of the 271 bugs attributed to Claude Mythos Preview in Firefox 150, 180 were rated sec-high, 80 were sec-moderate, and 11 were sec-low, meaning most were vulnerabilities exploitable via normal user behavior, such as simply visiting a malicious webpage.

Mozilla Patches 423 Firefox 0-Day

Beyond the 271 AI-identified bugs, the remaining 152 fixes included 41 externally reported bugs and 111 discovered through internal techniques, split roughly equally between Claude Mythos fixes shipped in other releases, bugs found with other AI models, and conventional fuzzing.

Anthropic’s own Frontier Red Team was separately credited with three standalone CVEs: CVE-2026-6746, CVE-2026-6757, and CVE-2026-6758.

Mozilla publicly disclosed 12 representative bug reports to demonstrate the depth of AI analysis.

These include a 15-year-old flaw in the <legend> HTML element (Bug 2024437), triggered by meticulous orchestration of recursion stack depths and cycle collection edge cases, and a 20-year-old use-after-free (UAF) in Firefox’s XSLT engine (Bug 2025977) where reentrant key() calls caused a hash table to free its backing store while a raw pointer remained in use.

Several bugs represent critical sandbox escape primitives, including a race condition over IPC allowing a compromised content process to manipulate IndexedDB refcounts to trigger a UAF (Bug 2021894), and a raw NaN crossing an IPC boundary masquerading as a tagged JavaScript object pointer to achieve a parent-process fake-object primitive (Bug 2022034).

One exploit even simulates a malicious DNS server by intercepting glibc function calls to trigger a buffer over-read during HTTPS Record and ECH parsing (Bug 2023958).

These sandbox escape bugs are notoriously difficult to surface via traditional fuzzing methods, making AI coverage particularly valuable for this attack surface.

Mozilla’s approach evolved from early static-analysis experiments using GPT-4 and Claude Sonnet 3.5, which produced too many false positives to be practical.

The breakthrough came with agentic harness systems that not only generate bug hypotheses but also create reproducible proof-of-concept test cases to dynamically validate them. This eliminated speculative false positives and made large-scale deployment feasible.

The pipeline was built atop Mozilla’s existing fuzzing infrastructure and parallelized across multiple ephemeral virtual machines, each assigned to hunt for vulnerabilities within a specific target file.

Mozilla integrated the full security bug lifecycle into the system: deduplication against known issues, triage, patch tracking, and release management.

Over 100 contributors worked to review, test, and ship the resulting patches, a testament to the sustained operational scale required.

Key Vulnerability Breakdown

Equally notable is what the AI pipeline failed to exploit, not due to limitation, but because of effective prior hardening.

Audit logs revealed numerous AI-driven attempts to exploit prototype pollution for sandbox escapes, all blocked by Mozilla’s earlier architectural decision to freeze JavaScript prototypes by default. This provided direct, measurable validation of previously shipped defense-in-depth mitigations.

Mozilla’s guidance is direct: any software project can begin using an agentic harness with a modern model today.

The initial prompts can be simple, essentially directing the model to find a bug in a specific code region and build a test case, with iteration improving effectiveness over time.

Mozilla plans to integrate this pipeline into its continuous integration (CI) system to scan incoming patches as they land, extending coverage from file-based to patch-based scanning.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post Mozilla Patches 423 Firefox Vulnerabilities with Claude Mythos and Other AI Models appeared first on Cyber Security News.

Spring Cloud Config provides crucial server-side and client-side support for externalized configuration in distributed systems.

Recently, the Spring development team disclosed four security vulnerabilities impacting the Spring Cloud Config Server.

These flaws range from medium to critical severity, exposing environments to unauthorized arbitrary file access, cloud secrets leakage, and logging misconfigurations.

Because centralized configuration servers often hold sensitive keys for an entire microservice architecture, system administrators must immediately review and patch their infrastructure.

Spring Cloud Vulnerabilities

Directory Traversal Vulnerabilities

The most severe issue is CVE-2026-40982, a critical directory traversal vulnerability affecting the platform.

The Spring Cloud Config module allows applications to serve both text and binary files over the network.

An attacker can exploit this module by sending a specially crafted URL to the server, thereby bypassing restricted directories and accessing arbitrary files on the host system.

Security researchers Swapnil Paliwal, the AxiomCode security team, August 829, and rash18mi responsibly identified and reported this critical flaw.

Target GCP Secrets and Git Directories

Two additional high-severity vulnerabilities threaten Spring Cloud Config deployments.

CVE-2026-40981 affects organizations that use Google Secrets Manager as the backend for their configuration server.

Malicious actors can craft specific requests to the config server, exposing sensitive secrets from unintended Google Cloud Platform projects.

Meanwhile, CVE-2026-41002 introduces a time-of-check-time-of-use attack surface.

This vulnerability specifically targets the server’s base directory used to clone Git repositories.

Threat actors can manipulate files during the cloning process due to this race condition.

Security researcher Yu Bao from PayPal received credit for discovering and reporting this Git-related vulnerability.

Trace Logging Exposes Sensitive Information

A medium-severity vulnerability (CVE-2026-41004) affects the server’s internal logging mechanisms.

When administrators enable trace logging, the system inadvertently writes sensitive information in plain text directly to the log files.

This misconfiguration could expose credentials or configuration secrets to unauthorized internal users who possess read access to the system logs.

All four vulnerabilities impact the same branches of the Spring Cloud Config ecosystem.

The affected release lines include 3.1.x, 4.1.x, 4.2.x, 4.3.x, and 5.0.x. Older, unsupported versions of the software also remain highly vulnerable to these exploits.

Users must upgrade immediately to secure their environments against potential compromise.

The Spring team has released patched versions across their different support tiers.

Open-source software users must upgrade to 4.3. x environments to version 4.3.3 and their 5.0. x environments to version 5.0.3.

Enterprise support customers have access to dedicated fixes in versions 3.1.14, 4.1.10, and 4.2.7.

If immediate patching is impossible for the GCP secrets vulnerability, administrators can implement a temporary configuration workaround.

By setting the spring.cloud.config.server.gcp-secret-manager.token-mandatory=true property, the server forces clients to send a valid token.

The system then verifies this token to ensure the client actually has legitimate access to the requested project secrets.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post Critical Spring Vulnerabilities Expose Arbitrary Files and GCP Secrets appeared first on Cyber Security News.

Dirty Frag is a newly disclosed, CVE-pending Linux kernel local privilege escalation (LPE) vulnerability that chains two separate page-cache write flaws, the xfrm-ESP Page-Cache Write and the RxRPC Page-Cache Write, to achieve root access on virtually all major Linux distributions, with a public exploit already in the wild following an embargo break on May 7, 2026.

Dirty Frag belongs to the same vulnerability class as Dirty Pipe and Copy Fail (CVE-2026-31431), but targets the frag member of the kernel’s struct sk_buff rather than struct pipe_buffer.

Discovered and reported by security researcher Hyunwoo Kim (@v4bel), the vulnerability exploits the zero-copy send path where splice() plants a reference to a read-only page cache page, such as /etc/passwd or /usr/bin/su — into the frag slot of a sender-side skb.

Dirty Frag Linux Vulnerability

The receiver-side kernel code then performs in-place cryptographic operations directly on top of that frag, permanently modifying the page cache in RAM.

Every subsequent read to that file sees the corrupted version, even though the unprivileged attacker was granted only read access.

Unlike race-condition exploits, Dirty Frag is a deterministic logic bug that requires no timing window, does not panic the kernel on failure, and carries an extremely high success rate.

xfrm-ESP Page-Cache Write resides in esp_input(), the IPsec ESP receive path. When an skb is non-linear but lacks a frag list, the code skips the mandatory skb_cow_data() buffer allocation step and jumps directly to in-place AEAD decryption on the attacker-planted frag.

Using the XFRMA_REPLAY_ESN_VAL netlink attribute, the attacker can control both the location (file offset) and the value (4 bytes) of each store operation, enabling them to overwrite arbitrary bytes of /usr/bin/su‘s page cache with a static root-shell ELF 192 bytes written across 48 chunks of 4 bytes each.

Authentication failure (-EBADMSG) is returned afterward, but the page cache write has already persisted. This variant requires the ability to create a user namespace (unshare(CLONE_NEWUSER)).

RxRPC Page-Cache Write resides in rxkad_verify_packet_1(), which performs an in-place single-block pcbc(fcrypt) decryption on the first 8 bytes of the RxRPC payload.

Because skb_to_sgvec() converts the splice-pinned page cache page directly into the SGL, the attacker-controlled page becomes both src and dst.

The 8-byte store value is fcrypt_decrypt(C, K), where K is a freely specifiable session key registered via add_key("rxrpc", ...) — an operation requiring no privileges at all.

The attacker brute-forces K in user space until the desired plaintext (e.g., turning /etc/passwd line 1’s password field into an empty string) is produced, enabling PAM nullok authentication bypass.

Neither vulnerability alone covers all Linux environments:

• ESP variant: Available on most distros but requires user namespace creation — blocked on some Ubuntu configurations via AppArmor policy.
• RxRPC variant: No namespace privilege required, but rxrpc.ko is absent on most distros like RHEL 10.1 by default — yet ships and auto-loads on Ubuntu.

Chaining the two exploits closes both blind spots, achieving root on essentially every major distribution. The exploit first attempts the ESP path; if unshare(CLONE_NEWUSER) fails, it automatically falls back to the RxRPC path targeting /etc/passwd.

Affected Distributions and Kernel Versions

The ESP vulnerability has been present since commit cac2661c53f3 (January 2017), and the RxRPC flaw since 2dc334f1a63a (June 2023), giving the chain an effective window of approximately 9 years. Confirmed affected distributions include:

• Ubuntu 24.04.4 (kernel 6.17.0-23-generic)
• RHEL 10.1 (kernel 6.12.0-124.49.1.el10_1.x86_64)
• openSUSE Tumbleweed (kernel 7.0.2-1-default)
• CentOS Stream 10 (kernel 6.12.0-224.el10.x86_64)
• AlmaLinux 10 (kernel 6.12.0-124.52.3.el10_1.x86_64)
• Fedora 44 (kernel 6.19.14-300.fc44.x86_64)

The ESP variant patch using the SKBFL_SHARED_FRAG flag to ensure splice-pinned pages always route through skb_cow_data() — was merged into the netdev tree on May 7, 2026.

The final merged patch was based on a shared-frag approach submitted by Kuan-Ting Chen. The RxRPC patch, which adds || skb->data_len to the existing skb_cloned() gate to force isolation of non-linear skbs, remains unmerged upstream.

No CVE identifiers have been assigned for either flaw as of publication, due to the premature embargo break by an unrelated third party on May 7, 2026 .

Immediate Mitigation

Since distribution-level patches are not yet available, administrators should immediately disable the affected kernel modules using the following command:

bashsh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"

This blacklists and unloads the esp4, esp6, and rxrpc modules, disrupting IPsec and RxRPC functionality as a trade-off.

Systems that rely on IPsec VPN tunnels should weigh operational impact carefully before applying the workaround and prioritize applying distribution-backported kernel patches once available.

The complete technical write-up and PoC exploit code are available at the researcher’s GitHub repository.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post Dirty Frag Linux Vulnerability Let Attackers Gain Root Privileges – PoC Released appeared first on Cyber Security News.

Vercel has released an extensive set of security advisories for Next.js, addressing more than a dozen vulnerabilities, including denial-of-service, middleware bypass, server-side request forgery, and cross-site scripting.

The flaws affect Next.js versions 13.x through 16.x using the App Router, as well as React Server Components packages for versions 19.x.

CVE-2026-23870: Denial of Service via React Server Components

A high-severity denial-of-service vulnerability tracked as CVE-2026-23870 affects React Server Components packages for versions 19.x and all Next.js App Router deployments on versions 13.x, 14.x, 15.x, and 16.x.

A specially crafted HTTP request sent to any App Router Server Function endpoint, when deserialized, can trigger excessive CPU usage, resulting in denial-of-service attacks in unpatched environments.

The issue is rooted in the React “Flight” protocol’s deserialization logic, which fails to adequately enforce structural or type constraints on inbound payloads.

Middleware and Proxy Authorization Bypass

Three separate advisories GHSA-267c-6grr-h53f, GHSA-26hh-7cqf-hhc6, and GHSA-492v-c6pp-mqqv address middleware bypass vulnerabilities in App Router applications.

Specially crafted .rsc and segment-prefetch URLs can resolve to the same page without being matched by intended middleware rules, allowing protected content to be accessed without proper authorization checks.

The fix now includes App Router transport variants when generating middleware matchers, ensuring middleware protections apply consistently to all request types, including prefetch variants.

Until an upgrade is possible, developers should enforce authorization directly in the underlying route or page logic rather than relying solely on middleware.

CVE-2026-44578: SSRF via WebSocket Upgrade Requests

Tracked as CVE-2026-44578 and covered under GHSA-c4j6-fc7j-m34r, this high-severity flaw enables server-side request forgery through crafted WebSocket upgrade requests on self-hosted Node.js deployments.

An attacker can manipulate the server into proxying requests to arbitrary internal or external destinations, potentially exposing internal services or cloud metadata endpoints, a particularly dangerous scenario in cloud-native environments.

Vercel-hosted deployments are explicitly noted as unaffected. The fix applies the same safety checks to WebSocket upgrade handling that already existed for standard HTTP requests.

CVE-2026-44573: Pages Router i18n Middleware Bypass

CVE-2026-44573 (GHSA-36qx-fr4f-26g5) affects applications using the Pages Router with i18n configured alongside middleware-based authorization.

Locale-less /_next/data/<buildId>/<page>.json requests bypass middleware entirely, enabling attackers to retrieve server-side rendered JSON for protected pages without passing authorization checks.

The matcher logic has been updated to apply consistent matching across both prefixed and unprefixed data routes.

Beyond the high-severity flaws, Vercel also patched several moderate and low-severity issues.

These include cross-site scripting vulnerabilities in App Router applications using CSP nonces (GHSA-ffhc-5mcf-pf4q) and in beforeInteractive scripts with untrusted input (GHSA-gx5p-jg67-6x7h), a denial-of-service bug in the Image Optimization API (GHSA-h64f-5h5j-jqjh), and cache poisoning issues in React Server Component responses (GHSA-wfc6-r584-vfw7, GHSA-vfv6-92ff-j949).

A connection exhaustion DoS in Cache Components (GHSA-mg66-mrh9-m8jx) and cache poisoning of middleware redirects (GHSA-3g8h-86w9-wvmq) round out the advisory list.

Organizations running affected Next.js versions should prioritize upgrading immediately.

For teams unable to upgrade right away, the recommended interim mitigations include enforcing authorization within individual route or page logic rather than relying on middleware alone, blocking WebSocket upgrades at the reverse proxy or load balancer level, and restricting server egress to known internal networks.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post Multiple Critical Vulnerabilities Patched in Next.js and React Server Components appeared first on Cyber Security News.

Ivanti has issued a critical security advisory for its Endpoint Manager Mobile (EPMM) product, disclosing multiple actively exploited vulnerabilities, including CVE-2026-6973, and urging all on-premises EPMM customers to apply patches immediately.

At the time of disclosure, Ivanti confirmed active exploitation of CVE-2026-6973, a vulnerability that requires admin authentication to succeed.

The flaws exclusively affect the on-premises EPMM product and are not present in Ivanti Neurons for MDM, Ivanti’s cloud-based unified endpoint management solution, Ivanti EPM, Ivanti Sentry, or any other Ivanti products.

Exploitation activity has been described as “very limited” at the time of public disclosure, though the company strongly warned that advanced AI models have dramatically collapsed the time-to-exploit window from days to mere hours after a vulnerability becomes public.

In a notable shift in vulnerability management strategy, Ivanti disclosed that it has integrated multiple advanced large language model (LLM) AI systems into its product security and engineering red team processes.

This integration has enhanced the capabilities of its internal security teams to identify and remediate vulnerabilities that traditional static analysis (SAST) and dynamic analysis (DAST) tools typically miss.

Ivanti acknowledged that some of the vulnerabilities being disclosed today were discovered directly through this AI-assisted process. The company maintains a “human in the loop” policy to verify all automated or agentic findings, ensuring responsible use of AI in its security program.

Ivanti’s EPMM has been a recurring target for sophisticated threat actors. CISA has flagged at least 31 Ivanti defects on its Known Exploited Vulnerabilities (KEV) catalog since late 2021, and at least 19 defects across Ivanti products have been exploited in the past two years alone.

Previous zero-day campaigns against EPMM include CVE-2025-4427 and CVE-2025-4428 in May 2025, and CVE-2023-35078 and CVE-2023-35082 in 2023, with some attacks attributed to Chinese state-sponsored threat groups.

The consistent targeting of EPMM underscores the product’s high-value position in enterprise mobile device management infrastructure.

The vulnerabilities disclosed in Ivanti’s May 2026 security advisory affect only on-premises EPMM deployments. Organizations running cloud-based Ivanti Neurons for MDM are not impacted.

Ivanti has published detailed remediation instructions through its official Security Advisory, with patch packages that the company says take only seconds to apply and cause no downtime.

Mitigations

Ivanti strongly urges all on-premises EPMM administrators to take immediate action:

• Apply the available security patch to all EPMM on-premises instances without delay
• Monitor Apache access logs at /var/log/httpd/https-access_log for signs of attempted or successful exploitation.
• Implement network segmentation to restrict EPMM administrative interfaces to trusted networks only.
• Review and harden mobile device management policies to reduce the overall attack surface
• Subscribe to Ivanti’s Security Blog and the Ivanti Innovators Hub for real-time vulnerability alerts

Ivanti cautioned that as AI-driven tooling becomes further embedded in its security processes, customers should expect an increase in vulnerability disclosures, a transparency initiative the company frames as a proactive step toward more resilient products rather than a sign of weakening security posture.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post New Ivanti EPMM 0-Day Vulnerability Actively Exploited in Attacks appeared first on Cyber Security News.

Dirty Frag Targets Multiple Linux Distributions 

How Dirty Frag Works 

Links to Older Linux Kernel Vulnerabilities 

Public PoC Increases Risk for Linux Distributions 

sudo sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true" 

WatchGuard has released urgent security updates to address multiple high-severity vulnerabilities affecting the WatchGuard Agent on Windows.

The most critical of these flaws allows authenticated local attackers to escalate their privileges to the highest system level, granting them complete control over the compromised machine.

Additional vulnerabilities discovered in the software include network-based buffer overflows that can trigger severe denial-of-service conditions.

Chained Local Privilege Escalation

The most severe security advisory, WGSA-2026-00013, highlights two vulnerabilities: CVE-2026-6787 and CVE-2026-6788.

These flaws, with a high CVSS score of 8.5, involve chained agent service vulnerabilities in the Windows client.

When an attacker successfully links these exploits together, they can execute a local privilege escalation attack to gain NT AUTHORITY\SYSTEM access.

Obtaining this level of unrestricted access enables threat actors to turn off security monitoring tools, deploy persistent malware, extract sensitive endpoint data, or create new hidden administrative accounts.

Another significant privilege escalation vulnerability, tracked as CVE-2026-41288, holds a CVSS score of 7.3.

This specific flaw stems from an incorrect permission assignment within the patch management component of the WatchGuard Agent.

An authenticated local user can exploit this structural misconfiguration to seamlessly elevate their privileges from a standard user to SYSTEM level.

This indicates that even a highly restricted, low-privileged employee account could fully compromise the local endpoint device if the software remains unpatched.

Alongside the privilege escalation risks, WatchGuard engineers also addressed two stack-based buffer overflow vulnerabilities residing in the agent’s discovery service.

Tracked under CVE-2026-41286 and CVE-2026-41287, both vulnerability variants carry a CVSS score of 7.1.

Unlike the privilege escalation bugs, which require local access, these overflow flaws allow unauthenticated attackers situated on the same local network to send specially crafted requests that overflow memory buffers.

A successful exploit immediately crashes the agent service, causing a denial-of-service state that temporarily blinds the endpoint’s security management and monitoring capabilities, potentially paving the way for further network attacks.

According to the official WatchGuard advisories, all four vulnerabilities impact the WatchGuard Agent on Windows versions up to and including 1.25.02.0000.

WatchGuard explicitly notes that there are currently no available mitigations or technical workarounds to prevent exploitation without applying the official software patch.

To protect endpoint environments against both local privilege escalation and network-based service disruptions, cybersecurity organizations and IT administrators should immediately update their fleets to WatchGuard Agent on Windows version 1.25.03.0000.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post WatchGuard Agent Vulnerabilities Let Attackers Grant Full SYSTEM Privileges on Windows appeared first on Cyber Security News.

Five dangerous vulnerabilities in Redis expose Redis Cloud, Redis Software, and all open-source community editions to potential remote code execution, giving authenticated attackers a direct path to compromise affected systems.

All require authenticated access to exploit, but successful exploitation can lead to arbitrary code execution, full system compromise, data exfiltration, or service disruption.

The advisory, released on May 5, 2026, was published by Riaz Lakhani as part of Redis’s continued security initiatives. Four flaws were rated High severity with CVSS scores of 7.7, while one received a Medium severity score of 6.1.

Redis RCE Vulnerabilities

CVE-2026-23479 is a use-after-free vulnerability in the unblock client flow.

When a blocked client is evicted while re-executing a blocked command, the code fails to handle the error returned by processCommandAndResetClient, allowing an authenticated user to trigger a use-after-free condition and potentially execute remote code.

CVE-2026-25243 affects the Redis RESTORE command. An authenticated user can trigger an invalid memory access by sending a specially crafted serialized payload, potentially leading to arbitrary code execution within the Redis server context.

Independent researcher Emil Lerner discovered the double-free variant, and Joseph Surin identified an integer overflow and out-of-bounds read in VectorSets.

CVE-2026-25588 and CVE-2026-25589 are closely related flaws in the RESTORE command when used with the RedisTimeSeries and RedisBloom modules, respectively.

Both allow authenticated attackers to trigger invalid memory accesses via crafted serialized payloads, resulting in the same RCE impact.

Joseph Surin, John Stephenson, and Annie Nie discovered the TimeSeries flaw; Daniel Firer and Joseph Surin identified multiple RedisBloom issues, including out-of-bounds reads and writes, integer overflow, and heap buffer overflow.

CVE-2026-23631 is a medium-severity Lua use-after-free flaw. An authenticated user can exploit the master-replica synchronization mechanism to trigger the vulnerability.

It specifically affects Redis replicas configured with replica-read-only disabled and exists across all Redis versions with Lua scripting enabled. Researcher Yoni Sherez (@yoyosh__) discovered this flaw.

All Redis Cloud deployments have already been patched with no customer action required. For self-managed deployments, all Redis OSS/CE releases are affected. The following fixed versions have been released:

Redis OSS/CE: 6.2.22, 7.2.14, 7.4.9, 8.2.6, 8.4.3, and 8.6.3. Redis Software versions up to and including 8.0.6 are impacted, with fixes available in builds 8.0.10-64, 7.22.2-79, 7.8.6-253, 7.4.6-279, and 7.2.4-153.

Module-specific fixes include RedisTimeSeries v1.12.14, v1.10.24, v1.8.23, and RedisBloom v2.8.20, v2.6.28, v2.4.23.

How to Protect Your Redis Instance

Redis confirms there is no evidence of active exploitation in the wild as of publication.

However, organizations running self-managed instances should act immediately. Key mitigations include:

Upgrading to the latest fixed release is the primary remediation step. Downloads are available at redis.io/downloads.

Beyond patching, administrators should restrict network access using firewalls and network policies to allow only trusted sources.

Strong authentication must be enforced across all instances, and Redis protected-mode should remain enabled in CE and OSS deployments.

User permissions should follow the principle of least privilege, limiting access to potentially dangerous commands.

Indicators of potential exploitation include unauthorized access attempts, unexplained server crashes with Lua engine stack traces, anomalous command execution by the redis-server user, and unexpected changes to Redis configuration or persistent files.

Several vulnerabilities were discovered through Wiz’s ZeroDay.Cloud platform in partnership with Redis.

Reflecting the growing role of collaborative bug bounty and vulnerability research programs in proactively securing widely deployed open-source infrastructure.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post Critical Redis Vulnerabilities Enables Remote Code Execution Attacks appeared first on Cyber Security News.

A critical zero-day vulnerability in Palo Alto Networks PAN-OS software has been actively exploited by a likely state-sponsored threat actor since at least April 2026, the company revealed in a security advisory published on May 6, 2026.

Tracked as CVE-2026-0300, the flaw is a buffer overflow vulnerability residing in the User-ID Authentication Portal, also known as the Captive Portal service of PAN-OS, and it allows an unauthenticated remote attacker to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending specially crafted network packets.

The vulnerability enables unauthenticated remote code execution (RCE) against internet-facing PAN-OS deployments where the User-ID Authentication Portal is exposed to untrusted networks.

Upon successful exploitation, attackers can inject shellcode directly into an nginx worker process, granting them deep, persistent access to the underlying system. Prisma Access, Cloud NGFW, and Panorama appliances are not affected.

Risk is significantly elevated when the Authentication Portal is publicly reachable, making network segmentation and access restriction the most immediate mitigation step.

Palo Alto Networks’ Unit 42 threat intelligence team is tracking exploitation activity under the cluster designation CL-STA-1132, attributed to a likely state-sponsored actor.

The campaign timeline reveals a deliberate, methodical approach beginning April 9, 2026, when unsuccessful exploitation attempts were logged against a PAN-OS device.

One week later, the attackers successfully achieved RCE and injected shellcode. Immediately following the compromise, they conducted aggressive log destruction, clearing crash kernel messages, deleting nginx crash entries and records, and removing crash core dump files to impair forensic detection.

Four days after initial compromise, the attackers deployed multiple tools with root privileges and began Active Directory enumeration using service account credentials harvested from the firewall, targeting the domain root and DomainDnsZones.

Evidence of ptrace injection and SetUserID (SUID) privilege-escalation binaries was subsequently deleted from audit logs to further reduce their footprint.

On April 29, 2026, the attackers executed a SAML flood attack against the first compromised device, causing a secondary device to be promoted to Active status, inheriting the same internet-facing traffic configuration.

RCE was then achieved on this second device by downloading and deploying two open-source tunneling tools.

Earthworm and ReverseSocks5 for Post-Exploitation

The attackers relied exclusively on publicly available tooling rather than on proprietary malware, a deliberate choice that minimized the likelihood of signature-based detection.

EarthWorm, an open-source network tunneling tool written in C supporting Windows, Linux, macOS, and ARM/MIPS platforms, was used to establish covert SOCKS5 proxy tunnels and multi-hop cascaded network paths (MITRE ATT&CK T1090, T1572).

Earthworm has previously been linked to threat clusters including Volt Typhoon, APT41, UAT-8337, and CL-STA-0046.

ReverseSocks5 was used to establish outbound connections from compromised devices to an attacker-controlled controller, bypassing firewall and NAT restrictions to route traffic into the internal network via a SOCKS5 proxy tunnel.

Organizations should take one of the following immediate actions. First, restrict User-ID Authentication Portal access exclusively to trusted internal zones, and disable Response Pages in the Interface Management Profile on any L3 interface reachable from untrusted or internet-facing traffic. Second, if the Authentication Portal is not operationally required, disable it entirely.

Indicators of Compromise

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post Palo Alto Networks Firewall Zero-Day RCE Vulnerability Exploited in the Wild Since April appeared first on Cyber Security News.

VM2 has been hit by 11 critical vulnerabilities, putting countless applications that rely on it at risk of executing untrusted code.

Affecting all versions up to 3.11.1, each flaw provides attackers with a clear path out of the sandbox and into the host system, with full command execution capabilities. Worse, two of the eleven remain completely unpatched.

vm2 is a Node.js npm package that executes untrusted JavaScript inside an isolated container, powering everything from code execution platforms and CI pipelines to plugin engines and multi-tenant cloud services.

Its entire security model rests on one promise: keep malicious code inside, keep the host safe. Researchers have now shredded that promise across eleven distinct techniques, exposing just how thin the walls of that container truly were.

The library’s core promise that code running inside a VM instance cannot reach the host system has been fundamentally broken by these disclosures, with all vulnerabilities enabling full remote code execution (RCE) on the underlying host.

vm2 Node.js Library Vulnerabilities

Among the most severe issues is CVE-2026-24118, which exploits __lookupGetter__ behavior to escape the sandbox. At the same time, CVE-2026-24120 bypasses Promise species protections to execute commands via child_process.execSync.

Another flaw, CVE-2026-24781, abuses Node.js’ util module. Inspect internals to expose raw host objects and bypass VM2’s proxy isolation layer.

Newer JavaScript features also introduced attack paths. CVE-2026-26332 leverages DisposableStack and SuppressedError mechanics in Node.js v24 to expose the host Function object.

CVE-2026-26956 targets Node.js v25 using a WebAssembly try_table instruction that bypasses vm2’s sanitization entirely. Researchers demonstrated full root-level code execution through this technique.

Additional vulnerabilities exploit prototype chains and module loading logic. CVE-2026-43997 and CVE-2026-44006 abuse util. Inspect and prototype traversal to achieve sandbox escapes.

CVE-2026-43999 bypasses vm2’s built-in module restrictions using Module._load(), even when child_process is explicitly blocked.

Prototype pollution also remains a serious concern. CVE-2026-44005 allows attackers to modify shared host prototypes, such as Object. prototype and Function. prototype, potentially impacting the entire Node.js process.

A dangerous configuration flaw tracked as GHSA-8hg8-63c5-gwmx revealed that enabling nesting: true effectively defeats require: false, allowing sandboxed code to create unrestricted inner VMs and achieve full RCE despite security restrictions.

Most concerning, two critical vulnerabilities, CVE-2026-44008 and CVE-2026-44009, remain unpatched in versions up to 3.11.1.

These flaws exploit how array species are handled and exception logic to expose host-side objects and regain unrestricted access to the host Function constructor.

According to reports published by patriksimek on GitHub, the eleven vulnerabilities highlight ongoing weaknesses in vm2’s sandbox security model, putting applications that execute untrusted code at significant risk.

Operators should immediately upgrade VM2 to version 3.11.1 to address all currently patched vulnerabilities.

For CVE-2026-44008 and CVE-2026-44009, no fix is available, and teams should consider disabling VM2-based sandboxing altogether, replacing it with kernel-level isolation technologies such as Docker, gVisor, or Firecracker microVMs.

Developers must avoid the nesting: true option and wildcard built-in configurations, such as ['*', '-child_process'], in any environment running untrusted code.

Given the sheer volume and diversity of these bypass techniques, spanning JavaScript prototype manipulation, WebAssembly exception handling, Promise species overwriting, and built-in module loading.

vm2’s JavaScript-only isolation model should be considered fundamentally insufficient for high-security use cases.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Critical vm2 Node.js Library Vulnerabilities Enables Arbitrary Code Execution Attacks appeared first on Cyber Security News.

AMPScript and SFMC Template Injection Risks 

• _Subscribers  
• _Sent  
• _Job  
• _SMSMessageTracking  
• _Click  

CloudPages and “View Email in Browser” Vulnerability

Legacy Encryption Weaknesses Expanded the Attack Surface 

Impact of the Salesforce Marketing Cloud Vulnerability 

• Enumerate and exfiltrate subscriber records  
• Access sent marketing emails and engagement data  
• Forge cross-tenant QS tokens  
• Access emails belonging to other organizations  
• Exploit hard-coded cryptographic material  
• Abuse argument-injection flaws tied to the MicrositeURL function  
• Manipulate CloudPages and other SFMC web workflows  

A severe zero-authorization vulnerability in Schemata’s API, an AI-powered virtual training platform holding active Department of Defense (DoD) contracts, recently exposed highly sensitive military training materials and U.S. service member records.

Discovered by the open-source AI hacking agent Strix, the flaw allowed ordinary, low-privileged accounts to access cross-tenant data across the entire platform.

The vulnerability stemmed from a complete lack of authorization boundaries and tenant isolation on the application’s API.

When Strix established a low-privilege baseline and mapped reachable API surfaces, it successfully replayed high-value collection endpoints using a standard session.

The API failed to enforce organizational scoping or permission checks. Instead of returning data restricted to the test account, the system globally returned data across the entire platform.

Furthermore, the absence of authorization checks on write-enabled routes meant a malicious actor could have potentially modified or deleted training courses entirely.

Zero-Auth Flaw Exposes DoD Contractor

The scope of the exposed data represented a massive operational security risk.

Through a user-listing endpoint, the unprivileged test account accessed the entire user base, revealing names, email addresses, enrollment data, and the specific military bases where U.S. service members were stationed.

This level of exposure leaves personnel highly vulnerable to targeted phishing and doxing attacks.

Beyond personal records, course and organization endpoints leaked metadata and direct AWS S3 links to hundreds of confidential training manuals.

This included a 3D virtual training course for naval maintenance personnel marked as proprietary, as well as Army field manuals detailing the safe handling, arming sequences, and tactical deployment of explosive ordnance.

Strix first reported the vulnerability privately to Schemata on December 2, 2025, highlighting challenges in responsible disclosure.

Despite multiple follow-up attempts warning of the critical nature of the exploit, the vulnerability remained live for months.

It was not until May 1, 2026, 150 days after the initial disclosure and following a final notice of impending publication, that Schemata acknowledged the exposed endpoints and applied an immediate patch. The researchers have since verified the remediation.

For defense contractors, API security is a strict regulatory requirement under federal rules such as DFARS 252.204-7012.

The Cybersecurity Maturity Model Certification (CMMC) requires contractors handling Controlled Unclassified Information (CUI) to have mandatory cybersecurity and breach-reporting obligations.

A platform serving military training data with no API authorization layer represents a foundational security failure.

Customers and partners in the defense sector are strongly encouraged to inquire about access logs, the duration of the exposure, and whether affected users have been formally notified.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Zero-Auth Flaw Exposes DoD Contractor to Cross-Tenant Data Access appeared first on Cyber Security News.

Palo Alto Networks has disclosed a critical buffer overflow vulnerability in PAN-OS software, tracked as CVE-2026-0300, that is already being actively exploited in the wild.

The flaw carries a CVSS 4.0 score of 9.3 (CRITICAL) and allows unauthenticated attackers to execute arbitrary code with full root privileges on affected PA-Series and VM-Series firewalls, with no credentials, no user interaction, and no special conditions required.

The vulnerability resides in the User-ID Authentication Portal (also known as Captive Portal) service of PAN-OS. An unauthenticated remote attacker can send specially crafted packets to trigger an out-of-bounds write (CWE-787), causing a buffer overflow that ultimately yields root-level code execution on the targeted firewall.

With a NETWORK attack vector, zero attack complexity, and no privileges required, this flaw is fully automatable, making it an ideal candidate for mass-exploitation campaigns.

The exploit maturity is classified as ATTACKED, with Palo Alto Networks confirming limited exploitation has already been observed targeting Authentication Portals exposed to untrusted IP addresses and the public internet.

Affected Products

The vulnerability impacts multiple PAN-OS versions across PA-Series and VM-Series firewalls. Affected branches include:

• PAN-OS 10.2 — versions below 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6
• PAN-OS 11.1 — versions below 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15
• PAN-OS 11.2 — versions below 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12
• PAN-OS 12.1 — versions below 12.1.4-h5 and 12.1.7

Notably, Prisma Access, Cloud NGFW, and Panorama appliances are not affected. The vulnerability only applies to firewalls with the User-ID Authentication Portal explicitly enabled and accessible from untrusted networks.

When the Authentication Portal is internet-exposed, the CVSS score reaches its maximum threat tier at 9.3. Even in adjacent-network scenarios, the score remains a severe 8.7.

Successful exploitation results in high confidentiality, integrity, and availability impacts at the product level, effectively giving threat actors complete control over the targeted firewall.

The risk profile is particularly alarming given the concentrated value density of enterprise firewalls, which serve as critical network chokepoints.

Compromising a perimeter firewall can facilitate lateral movement, traffic interception, credential harvesting, and a full network takeover.

Palo Alto Networks has confirmed that patches are rolling out between May 13 and May 28, 2026, depending on the PAN-OS branch. Until patches are applied, administrators should immediately take one of the following actions:

• Restrict Authentication Portal access to trusted internal IP addresses only, following Palo Alto’s best practice guidelines
• Disable the User-ID Authentication Portal entirely if it is not operationally required

A Threat Prevention Signature for PAN-OS 11.1 and above was made available on May 5, 2026, providing an additional detection and blocking layer for organizations that have Threat Prevention licensed.

Security teams should audit their PAN-OS configurations immediately by navigating to Device > User Identification > Authentication Portal Settings to determine exposure.

Any portal accessible from the internet or untrusted zones should be treated as an emergency remediation priority, given confirmed in-the-wild exploitation of CVE-2026-0300.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Critical Palo Alto Firewalls Vulnerability Exploited in the Wild to Gain Root Access appeared first on Cyber Security News.

GnuTLS version 3.8.13 has been officially released to patch a dozen security vulnerabilities, including critical flaws affecting secure network communications.

The update is highly recommended for all systems using GnuTLS, as it addresses memory corruption, authentication bypasses, and certificate validation errors.

Four vulnerabilities discovered in this release are categorized as High severity and require immediate attention from security teams.

These critical flaws primarily impact the Datagram Transport Layer Security (DTLS) implementation and specific authentication configurations.

Threat actors often target these types of memory corruption and bypass vulnerabilities to compromise remote servers or disrupt services.

The update fixes a wide range of bugs, from timing side channels to critical heap overruns.

The table below highlights the most significant vulnerabilities patched in version 3.8.13:

According to the GnuTLS Security Advisory 2026, admins should upgrade to GnuTLS 3.8.13 to mitigate these threats.

Public-facing servers utilizing DTLS or RSA-PSK authentication are at the highest risk. They should be patched during the next available maintenance window.

To proactively defend, security operations centers should update their monitoring tools to detect anomalous DTLS traffic or malformed RSA-PSK authentication attempts.

Ensuring that foundational cryptographic libraries remain up to date is a critical strategy for preventing initial network compromise.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post GnuTLS 3.8.13 Released with Fix for 12 Vulnerabilities Affecting Network Communications appeared first on Cyber Security News.

A critical unauthenticated remote code execution vulnerability in the Weaver E-cology platform is currently being actively exploited in the wild.

CVE-2026-22679 carries a maximum CVSS score of 9.8 and affects Weaver E-cology 10.0 builds released before 20260312.

The security flaw exists in an exposed debug endpoint that allows attackers to execute arbitrary commands without requiring any authentication.

By sending specially crafted POST requests, attackers can pass malicious input directly to the operating system.

The earliest evidence of exploitation was observed on March 17, 2026, just five days after the vendor patch was released.

The Vega Threat Research team has uncovered a series of attacks that began just days after the vendor released an official patch.

This rapid weaponization highlights how quickly threat actors can adopt new exploits to compromise enterprise platforms.

Weaver E-cology RCE exploited

The attackers began their campaign by verifying their remote code execution capabilities through simple ping callbacks.

Using the Tomcat-bundled Java Virtual Machine, they launched a series of ping commands directed at a callback infrastructure associated with the Goby vulnerability-scanning framework.

This technique allowed the attackers to easily confirm their access by checking the HTTP response body for unique marker tokens.

Following their initial access, the operators aggressively attempted to deliver various malicious payloads over three days.

They tried to drop multiple executable files and a Windows Installer package specifically named to reflect the targeted Weaver software.

Fortunately, robust endpoint detection and response defenses successfully quarantined these attempts, effectively preventing the deployment of the malicious files.

After security tools blocked their initial payloads, the attackers shifted to active evasion.

They copied the legitimate Windows PowerShell executable into a plain-text file to bypass standard process-name detection.

Through this renamed binary, they attempted to fetch and execute fileless PowerShell scripts directly in memory. However, these actions were also successfully intercepted.

Throughout the attack sequence, the threat actors continuously executed system discovery commands like whoami and tasklist.

Because the vulnerable debug endpoint reflects the output of executed commands directly in the HTTP response, the attackers did not need to establish a persistent shell on the victim host.

This strict request-and-response behavior allowed them to effortlessly conduct discovery and payload delivery concurrently.

Organizations running Weaver E-cology must urgently update their systems to build 20260312 or later, which completely removes the vulnerable debug endpoint.

The Vega Threat Research teams should actively monitor for anomalous processes parented by the Java Virtual Machine, particularly those involving network utilities or command-line interpreters.

Implementing robust endpoint defenses and routinely reviewing network traffic to the affected API paths can also help identify potential compromise attempts.

Indicators of Compromise (IOCs)

Network Indicators

File Hash

Filenames / Artifacts

Host Indicators

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Critical Weaver E-cology RCE Vulnerability Actively Exploited in Attacks appeared first on Cyber Security News.

Technical Details of the Buffer Overflow Vulnerability in PAN-OS 

• Attack Vector: Network  
• Attack Complexity: Low  
• Privileges Required: None  
• User Interaction: None  
• Confidentiality, Integrity, Availability Impact: High  

Active Exploitation and Risk Factors 

Affected and Unaffected Versions 

• PAN-OS 12.1 versions prior to 12.1.4-h5 and 12.1.7  
• PAN-OS 11.2 versions prior to 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12  
• PAN-OS 11.1 versions prior to 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15  
• PAN-OS 10.2 versions prior to 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6  

Mitigation and Workarounds 

• Restricting access to the User-ID Authentication Portal to trusted internal IP addresses only  
• Preventing any exposure of the portal to the public internet  
• Disabling the User-ID Authentication Portal entirely if it is not required  

Meta has disclosed a medium-severity security vulnerability in WhatsApp that could allow threat actors to exploit Instagram Reels integration to trigger arbitrary URL processing on victim devices, potentially invoking OS-level custom URL scheme handlers without user consent.

WhatsApp Vulnerabilities

The flaw, tracked as CVE-2026-23866, stems from incomplete validation of AI-rich response messages for Instagram Reels in the WhatsApp application.

The vulnerability affects both major mobile platforms, WhatsApp for iOS versions v2.25.8.0 through v2.26.15.72 and WhatsApp for Android versions v2.25.8.0 through v2.26.7.10.

The vulnerability was discovered through a Meta Bug Bounty submission by an external researcher and was independently confirmed by the Meta Security Team.

At its core, CVE-2026-23866 exploits the way WhatsApp processes AI-generated rich response messages that display Instagram Reels content.

When a user interacts with or receives such a message, the application fails to sufficiently validate the source URL of the embedded media content.

This incomplete validation allows a malicious actor to craft a specially formatted message that causes the victim’s device to fetch and process media from an arbitrary URL under the attacker’s control.

Another vulnerability tracked as CVE-2026-23863, the flaw is classified as an attachment spoofing issue affecting WhatsApp for Windows prior to version v2.3000.1032164386.258709.

The vulnerability was discovered by an external researcher through the Meta Bug Bounty Program and has since been patched by Meta.

The flaw requires no special privileges to exploit, only a single click from an unsuspecting user.

The root cause of CVE-2026-23863 lies in how WhatsApp for Windows handles filenames containing embedded NUL bytes, a null character (\x00) injected into the filename string.

This technique, commonly referred to as a NUL byte injection or null byte poisoning, exploits the difference in how high-level application logic and lower-level system calls interpret filenames.

Exploitation Status

Meta has stated that no evidence of active exploitation in the wild has been observed at the time of disclosure.

However, given the wide attack surface and WhatsApp’s global user base exceeding 2 billion, the potential impact of weaponization remains significant, particularly in targeted spyware or nation-state threat actor operations.

Mitigations

Security teams and individual users should take the following immediate actions:

• Update WhatsApp for iOS to a version later than v2.26.15.72
• Update WhatsApp for Android to a version later than v2.26.7.10
• Apply mobile device management (MDM) policies enforcing mandatory app updates across enterprise environments
• Monitor network traffic for anomalous URL scheme invocations originating from messaging applications
• Educate users about risks associated with AI-generated rich media content in messaging platforms.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post WhatsApp Vulnerability Lets Attackers Leverage Instagram Reels to Execute Malicious URLs appeared first on Cyber Security News.

Google has published the May 2026 Android Security Bulletin, alerting the ecosystem to a highly severe remote code execution (RCE) flaw.

Tracked as CVE-2026-0073, this critical vulnerability resides deep within the core Android System component.

It allows an attacker to gain remote shell access without requiring a single tap, download, or click from the device owner.

Threat actors can launch this zero-click attack proximally, meaning they only need to be on the same local network or in physical proximity to exploit a vulnerable mobile device.

Android Zero-Click Vulnerability

The root of CVE-2026-0073 lies within the adbd subcomponent, which stands for the Android Debug Bridge daemon.

Developers traditionally utilize this system service to communicate with a device, run terminal commands, and modify system behavior.

Because the flaw grants remote code execution as a “shell” user, attackers can bypass normal application sandboxes.

They do not need any special execution privileges or user interaction to deploy their malicious payloads successfully.

Imagine the adbd service as a restricted maintenance door on a secure corporate building.

This vulnerability acts like a master key that works over a wireless connection, allowing an intruder to quietly unlock the door and issue commands to the building’s internal systems without the security guard ever noticing.

This frictionless level of access makes the vulnerability highly dangerous and incredibly attractive to advanced threat actors.

Because the adbd service is a Project Mainline component distributed via Google Play system updates, the flaw affects multiple recent generations of the operating system.

Android 14, Android 15, Android 16, and Android 16-QPR2 devices are currently at risk.

Google has resolved this critical issue in the May 1, 2026, security patch level, as detailed in the Android Security Bulletin May 2026.

All Android hardware partners were notified of this vulnerability at least a month in advance to help them prepare over-the-air firmware updates.

Corresponding source code patches are also being pushed to the Android Open Source Project (AOSP) repository to ensure ongoing platform stability for the wider ecosystem.

Device owners must prioritize installing the latest security updates immediately to block potential exploitation.

To confirm that a device is protected, navigate to system settings and verify that the security patch level is May 1, 2026, or later.

Users should also manually check for pending Google Play system updates, as some devices running Android 10 or later may receive targeted component patches via this alternative channel.

Free Webinar to align your endpoint security to meet new requirements – Register Now

The post Critical Android Zero-Click Vulnerability Grants Remote Shell Access appeared first on Cyber Security News.

A security researcher has discovered that Microsoft Edge decrypts every stored password into process memory the moment the browser launches and keeps them there as cleartext, regardless of whether the user ever visits those sites.

The finding, disclosed on April 29 by PaloAltoNtwks Norway at BigBiteOfTech, was uncovered by researcher @L1v1ng0ffTh3L4N, who systematically tested every major Chromium-based browser for credential memory handling behavior.

Edge was the only browser that exhibited this behavior, loading the entire password vault into plaintext process memory at startup and retaining it for the duration of the session.

The contrast with Google Chrome is stark. Chrome implements on-demand decryption, meaning credentials are only decrypted at the moment they are needed during autofill or when a user explicitly views a saved password.

Chrome further hardens this with App-Bound Encryption, which cryptographically binds decryption keys to an authenticated Chrome process, preventing other processes from reusing those keys to access credentials.

Edge offers none of these protections. From the moment the browser opens, every saved credential across every site in the user’s vault sits in plaintext in the browser’s process memory. This creates a persistent, wide-surface extraction target for any attacker who can read that process memory.

What makes this finding particularly contradictory is Edge’s own UI behavior. The browser still prompts users for re-authentication before revealing passwords in the Password Manager interface, yet the browser process already holds all those credentials in plaintext, completely accessible to anyone who can query process memory.

The re-authentication gate, therefore, provides only the illusion of access control, offering no actual protection against memory-based credential extraction.

The severity escalates significantly in shared or multi-user environments such as Remote Desktop Services (RDS) or terminal servers.

An attacker with administrative privileges on such a system can read the memory of every logged-on user process simultaneously.

In a published proof-of-concept video accompanying the disclosure, a compromised administrator account was used to successfully extract stored credentials from two other logged-on users, including users with disconnected (but still active) sessions, simply by reading their Edge browser process memory.

This transforms a single admin-level compromise into a full credential harvest across an entire multi-user environment, directly mapping to MITRE ATT&CK T1555.003 — Credentials from Web Browsers.

Microsoft Edge Passwords in Cleartext

When the researcher responsibly disclosed the finding to Microsoft, the company’s official response was that the behavior is “by design.”

Microsoft’s existing public documentation acknowledges that credentials in browser memory can be accessed under local attack conditions, categorizing such scenarios as outside the browser’s threat model.

The April 29 disclosure at BigBiteOfTech included a small educational verification tool that allows any user to confirm whether their Edge browser is holding cleartext credentials in process memory. The tool was released to raise awareness and encourage independent validation of the behavior.

Security teams managing Windows environments with Edge deployed those operating terminal servers, VDI environments, or any shared-access systems, particularly should treat this as a high-priority configuration risk and consider migrating to browsers with on-demand decryption and App-Bound Encryption until Microsoft addresses the design decision.

Free Webinar to align your endpoint security to meet new requirements – Register Now

The post Microsoft Edge Stores All Saved Passwords in Cleartext Process Memory at Launch appeared first on Cyber Security News.

The Apache Software Foundation has released a critical security update for Apache HTTP Server, patching five vulnerabilities, including a dangerous double-free flaw capable of enabling Remote Code Execution (RCE) in version 2.4.67, released on May 4, 2026. All users running version 2.4.66 or earlier are strongly urged to upgrade immediately.

The most severe of the five vulnerabilities is CVE-2026-23918, rated High with a CVSS base score of 8.8.

The flaw is a double-free memory corruption bug triggered within Apache’s HTTP/2 protocol implementation during an “early stream reset” sequence.

A double-free vulnerability occurs when a program attempts to release the same memory region twice, corrupting heap memory structures and potentially enabling an attacker to redirect execution flow in this case, opening the door to Remote Code Execution.

The vulnerability exclusively affects Apache HTTP Server version 2.4.66 and was first reported to the Apache security team on December 10, 2025, by Bartlomiej Dmitruk of striga.ai and Stanislaw Strzalkowski of isec.pl.

A fix was committed in revision r1930444 the very next day, December 11, 2025, with the public patch shipped in the 2.4.67 release on May 4, 2026.

A second flaw, CVE-2026-24072, is rated Moderate and targets mod_rewrite‘s use of ap_expr expression evaluation.

The vulnerability allows local .htaccess authors to read arbitrary files with the privileges of the httpd user, effectively enabling an escalation of privileges beyond their intended access level.

This bug affects Apache HTTP Server 2.4.66 and earlier and was reported on January 20, 2026, by researcher y7syeu.

Additional Vulnerabilities Patched

Three further lower-severity flaws were also addressed in the same 2.4.67 update:

• CVE-2026-28780 — A heap-based buffer overflow in mod_proxy_ajp via ajp_msg_check_header(). If mod_proxy_ajp connects to a malicious AJP server, that server can send a crafted AJP message causing the module to write 4 attacker-controlled bytes beyond the end of a heap buffer. Reported independently by four researchers between February and March 2026.
• CVE-2026-29168 — An uncapped resource allocation vulnerability in mod_md‘s OCSP response handler. Attackers could exploit this to exhaust server resources via oversized OCSP response data. Affects versions 2.4.30 through 2.4.66, reported by Pavel Kohout of Aisle Research on March 2, 2026.
• CVE-2026-29169 — A NULL pointer dereference in mod_dav_lock that allows an attacker to crash the server using a maliciously crafted request. Notably, mod_dav_lock is not used internally by mod_dav or mod_dav_fs — its only known use case was with mod_dav_svn from Apache Subversion versions prior to 1.2.0. As a mitigation, administrators who cannot upgrade immediately may simply remove mod_dav_lock.

Mitigations

Given Apache HTTP Server’s enormous global footprint, the RCE risk posed by CVE-2026-23918 represents a significant threat to enterprise infrastructure worldwide. Administrators should take the following actions immediately:

1. Upgrade to Apache HTTP Server 2.4.67 — the only complete fix for all five vulnerabilities.
2. Disable HTTP/2 temporarily if an immediate upgrade is not feasible to reduce exposure to CVE-2026-23918.
3. Remove mod_dav_lock if the module is not in active use, as an interim mitigation for CVE-2026-29169.
4. Audit .htaccess permissions to limit exposure to CVE-2026-24072 in environments where local user access is a concern.

Free Webinar to align your endpoint security to meet new requirements – Register Now

The post Critical Apache HTTP Server Flaw Exposes Millions of Servers to RCE Attacks appeared first on Cyber Security News.