CISA warns that the nine-year-old Linux Copy Fail flaw is being actively exploited, allowing local attackers to gain root access on affected systems.
The post CISA Warning: High-Severity Linux Flaw Puts Unpatched Systems at Risk appeared first on TechRepublic.
Apache has patched CVE-2026-23918, a critical flaw in Apache HTTP Server’s HTTP/2 handling that Apache describes as a “double free and possible RCE.” The issue affects Apache HTTP Server 2.4.66 and was fixed in 2.4.67, released on May 4, 2026.
The CVE-2026-23918 vulnerability matters because it can be abused remotely and without authentication. Public reporting says the bug can cause a denial-of-service condition and, under certain conditions, may also open a path to remote code execution, making it one of the most serious issues addressed in Apache’s latest security release.
Apache credits Bartlomiej Dmitruk of striga.ai and Stanislaw Strzalkowski of isec.pl with reporting the flaw. Apache’s own vulnerability page shows it was reported to the security team on December 10, 2025, fixed in source on December 11, 2025, and shipped to users in the 2.4.67 release months later.
According to Apache and researcher commentary cited by The Hacker News, the bug is a double-free in mod_http2, specifically in the stream cleanup path. It can be triggered when a client sends an HTTP/2 HEADERS frame and then immediately sends RST_STREAM with a non-zero error code before the stream is fully registered by the multiplexer.
That sequence can cause two callbacks to run in a way that pushes the same stream object into the cleanup array twice. When Apache later destroys the stream entries, memory that has already been freed gets released again. In practical terms, the vulnerability in CVE-2026-23918 is a memory-management flaw that can crash worker processes and, in the right environment, be shaped into code execution.
The denial-of-service path appears to be the easiest outcome. The researchers told The Hacker News that one TCP connection and two HTTP/2 frames are enough to crash a worker in default deployments that use mod_http2 with a multi-threaded MPM. They also noted that MPM prefork is not affected, while the possible RCE path depends on an APR configuration using the mmap allocator, which is said to be the default on Debian-derived systems and in the official httpd Docker image.
As for exploitation maturity, public reporting says the researchers built a working CVE-2026-23918 poc for x86_64 in lab conditions. They also said practical exploitation still needs helpful conditions such as an information leak and favorable memory reuse, so code execution is more demanding than simple service disruption.
At this stage, public details for CVE-2026-23918 point much more clearly to process crashes and worker instability than to widely reproducible RCE in the field. There are also no vendor-published CVE-2026-23918 iocs, so defenders should focus on version exposure, unexpected worker crashes, and suspicious HTTP/2 reset patterns rather than on a stable signature set.
The core fix is to upgrade Apache HTTP Server from 2.4.66 to 2.4.67. Apache’s security advisory explicitly recommends moving to the patched version, and SecurityWeek notes that the release fixes 11 vulnerabilities, including this critical HTTP/2 issue.
For immediate triage, defenders should identify internet-facing systems where mod_http2 is enabled and where threaded MPMs are in use. That is the most practical way to detect CVE-2026-23918 exposure because the attack hinges on HTTP/2 request handling, not on a dropped malware artifact or traditional post-exploitation beacon.
If emergency patching is delayed, reducing exposure to HTTP/2 traffic may help shrink the attack surface until updates are applied. The CVE-2026-23918 payload described publicly is not a conventional file or binary but a crafted sequence of HTTP/2 frames designed to force the faulty cleanup path, so network-facing Apache instances should be prioritized first.
From a risk perspective, CVE-2026-23918 affects organizations that rely on Apache HTTP Server 2.4.66 for public web workloads, especially where HTTP/2 is enabled by default or broadly deployed for performance reasons. That includes standard Linux-based web servers as well as containerized deployments using the official Apache image.
What is CVE-2026-23918 and how does it work?
It is a critical double-free flaw in Apache HTTP Server’s HTTP/2 handling. A specially timed sequence of HTTP/2 frames can push the same stream object into cleanup twice, leading to worker crashes and potentially enabling remote code execution under favorable conditions.
When was CVE-2026-23918 first discovered?
Apache’s vulnerability page says the issue was reported to the security team on December 10, 2025. The fix landed in source on December 11, 2025, and the patched 2.4.67 release was published on May 4, 2026.
What is the impact of CVE-2026-23918 on systems?
The most immediate impact is denial of service through crashed Apache workers. Public reporting also says the flaw may allow remote code execution, although that path appears more complex and environment-dependent than the crash scenario.
Can CVE-2026-23918 still affect me in 2026?
Yes. Systems can still be exposed in 2026 if they are running Apache HTTP Server 2.4.66 with mod_http2 enabled and have not yet been updated to 2.4.67. The risk is especially relevant for deployments using threaded MPMs.
How can I protect myself from CVE-2026-23918?
Upgrade to Apache HTTP Server 2.4.67 as soon as possible, identify exposed HTTP/2-enabled deployments, and prioritize externally reachable servers for remediation. Where patching cannot happen immediately, reducing HTTP/2 exposure can help lower short-term risk.
The post CVE-2026-23918: Critical Apache HTTP/2 Flaw Can Trigger DoS and Possible RCE appeared first on SOC Prime.
During Q1 2026, the exploit kits leveraged by threat actors to target user systems expanded once again, incorporating new exploits for the Microsoft Office platform, as well as Windows and Linux operating systems.
In this report, we dive into the statistics on published vulnerabilities and exploits, as well as the known vulnerabilities leveraged by popular C2 frameworks throughout Q1 2026.
This section provides statistical data on registered vulnerabilities. The data is sourced from cve.org.
We examine the number of registered CVEs for each month starting from January 2022. The total volume of vulnerabilities continues rising and, according to current reports, the use of AI agents for discovering security issues is expected to further reinforce this upward trend.
Total published vulnerabilities per month from 2022 through 2026 (download)
Next, we analyze the number of new critical vulnerabilities (CVSS > 8.9) over the same period.
Total critical vulnerabilities published per month from 2022 through 2026 (download)
The graph indicates that while the volume of critical vulnerabilities slightly decreased compared to previous years, an upward trend remained clearly visible. At present, we attribute this to the fact that the end of last year was marked by the disclosure of several severe vulnerabilities in web frameworks. The current growth is driven by high-profile issues like React2Shell, the release of exploit frameworks for mobile platforms, and the uncovering of secondary vulnerabilities during the remediation of previously discovered ones. We will be able to test this hypothesis in the next quarter; if correct, the second quarter will show a significant decline, similar to the pattern observed in the previous year.
This section presents statistics on vulnerability exploitation for Q1 2026. The data draws on open sources and our telemetry.
In Q1 2026, threat actor toolsets were updated with exploits for new, recently registered vulnerabilities. However, we first examine the list of veteran vulnerabilities that consistently account for the largest share of detections:
Among the newcomers, we have observed exploits targeting the Microsoft Office platform and Windows OS components. Notably, these new vulnerabilities exploit logic flaws arising from the interaction between multiple systems, making them technically difficult to isolate within a specific file or library. A list of these vulnerabilities is provided below:
These three vulnerabilities were utilized together in a single chain during attacks on Windows-based user systems. While this combination is noteworthy, we believe the widespread use of the entire chain as a unified exploit will likely decline due to its instability. We anticipate that these vulnerabilities will eventually be applied individually as initial entry vectors in phishing campaigns.
Below is the trend of exploit detections on user Windows systems starting from Q1 2025.
Dynamics of the number of Windows users encountering exploits, Q1 2025 – Q1 2026. The number of users who encountered exploits in Q1 2025 is taken as 100% (download)
The vulnerabilities listed here can be leveraged to gain initial access to a vulnerable system and for privilege escalation. This underscores the critical importance of timely software updates.
On Linux devices, exploits for the following vulnerabilities were detected most frequently:
Dynamics of the number of Linux users encountering exploits, Q1 2025 – Q1 2026. The number of users who encountered exploits in Q1 2025 is taken as 100% (download)
In the first quarter of 2026, we observed a decrease in the number of detected exploits; however, the detection rates are on the rise relative to the same period last year. For the Linux operating system, the installation of security patches remains critical.
The distribution of published exploits by software type in Q1 2026 features an updated set of categories; once again, we see exploits targeting operating systems and Microsoft Office suites.
Distribution of published exploits by platform, Q1 2026 (download)
We analyzed which vulnerabilities were utilized in APT attacks during Q1 2026. The ranking provided below includes data based on our telemetry, research, and open sources.
TOP 10 vulnerabilities exploited in APT attacks, Q1 2026 (download)
In Q1 2026, threat actors continued to utilize high-profile vulnerabilities registered in the previous year for APT attacks. The hypothesis we previously proposed has been confirmed: security flaws affecting web applications remain heavily exploited in real-world attacks. However, we are also observing a partial refresh of attacker toolsets. Specifically, during the first quarter of the year, APT campaigns leveraged recently discovered vulnerabilities in Microsoft Office products, edge networking device software, and remote access management systems. Although the most recent vulnerabilities are being exploited most heavily, their general characteristics continue to reinforce established trends regarding the categories of vulnerable software. Consequently, we strongly recommend applying the security patches provided by vendors.
In this section, we examine the most popular C2 frameworks used by threat actors and analyze the vulnerabilities targeted by the exploits that interacted with C2 agents in APT attacks.
The chart below shows the frequency of known C2 framework usage in attacks against users during Q1 2026, according to open sources.
TOP 10 C2 frameworks used by APTs to compromise user systems, Q1 2026 (download)
Metasploit has returned to the top of the list of the most common C2 frameworks, displacing Sliver, which now shares the second position with Havoc. These are followed by Covenant and Mythic, the latter of which previously saw greater popularity. After studying open sources and analyzing samples of malicious C2 agents that contained exploits, we determined that the following vulnerabilities were utilized in APT attacks involving the C2 frameworks mentioned above:
The nature of the described vulnerabilities indicates that they were exploited to gain initial access to the system. Notably, the majority of these security issues are targeted to bypass authentication mechanisms. This is likely due to the fact that C2 agents are being detected effectively, prompting threat actors to reduce the probability of discovery by utilizing bypass exploits.
This section highlights the most significant vulnerabilities published in Q1 2026 that have publicly available descriptions.
At the core of this vulnerability is a Type Confusion flaw. By attempting to access a resource within the Desktop Window Manager subsystem, an attacker can achieve privilege escalation. A necessary condition for exploiting this issue is existing authorization on the system.
It is worth noting that the DWM subsystem has been under close scrutiny by threat actors for quite some time. Historically, the primary attack vector involves interacting with the NtDComposition* function set.
CVE-2026-21533 is essentially a logic vulnerability that enables privilege escalation. It stems from the improper handling of privileges within Remote Desktop Services (RDS) components. By modifying service parameters in the registry and replacing the configuration with a custom key, an attacker can elevate privileges to the SYSTEM level. This vulnerability is likely to remain a fixture in threat actor toolsets as a method for establishing persistence and gaining high-level privileges.
This vulnerability was discovered in the wild during attacks on user systems. Notably, an LNK file is used to initiate the exploitation process. CVE-2026-21514 is also a logic issue that allows for bypassing OLE technology restrictions on malicious code execution and the transmission of NetNTLM authentication requests when processing untrusted input.
This vulnerability in the AI agent leaks credentials (authentication tokens) when queried via the WebSocket protocol. It can lead to the compromise of the infrastructure where the agent is installed: researchers have confirmed the ability to access local system data and execute commands with elevated privileges. The danger of CVE-2026-25253 is further compounded by the fact that its exploitation has generated numerous attack scenarios, including the use of prompt injections and ClickFix techniques to install stealers on vulnerable systems.
LangChain is an open-source framework designed for building applications powered by large language models (LLMs). A directory traversal vulnerability allowed attackers to access arbitrary files within the infrastructure where the framework was deployed. The core of CVE-2026-34070 lies in the fact that certain functions within langchain_core/prompts/loading.py handled configuration files insecurely. This could potentially lead to the processing of files containing malicious data, which could be leveraged to execute commands and expose critical system information or other sensitive files.
CVE-2026-22812 is another vulnerability identified in AI-assisted coding software. By default, the OpenCode agent provided local access for launching authorized applications via an HTTP server that did not require authentication. Consequently, attackers could execute malicious commands on a vulnerable device with the privileges of the current user.
We observe that the registration of vulnerabilities is steadily gaining momentum in Q1 2026, a trend driven by the widespread development of AI tools designed to identify security flaws across various software types. This trajectory is likely to result not only in a higher volume of registered vulnerabilities but also in an increase in exploit-driven attacks, further reinforcing the critical necessity of timely security patch deployment. Additionally, organizations must prioritize vulnerability management and implement effective defensive technologies to mitigate the risks associated with potential exploitation.
To ensure the rapid detection of threats involving exploit utilization and to prevent their escalation, it is essential to deploy a reliable security solution. Key features of such a tool include continuous infrastructure monitoring, proactive protection, and vulnerability prioritization based on real-world relevance. These mechanisms are integrated into Kaspersky Next, which also provides endpoint security and protection against cyberattacks of any complexity.
Edge security appliances remain high-value targets, especially when a flaw can be exploited before a patch is widely available. The CVE-2026-0300 vulnerability is a critical buffer overflow in the User-ID Authentication Portal, also known as Captive Portal, in Palo Alto Networks PAN-OS. Palo Alto rates it 9.3/10 when the portal is exposed to the internet or other untrusted networks, and says an unauthenticated attacker can execute arbitrary code with root privileges on affected PA-Series and VM-Series firewalls by sending specially crafted packets.
For teams beginning CVE-2026-0300 analysis, the most important details for CVE-2026-0300 are the exposure conditions: the issue applies only when User-ID Authentication Portal is enabled, and Palo Alto says risk is greatly reduced when access is limited to trusted internal IP addresses. The company also says limited exploitation has already been observed against portals exposed to untrusted IP space or the public internet.
In practice, CVE-2026-0300 affects only PA-Series and VM-Series firewalls configured to use the User-ID Authentication Portal. Prisma Access, Cloud NGFW, and Panorama are not impacted, which makes configuration review as important as version review when triaging exposure.
The vulnerability in CVE-2026-0300 is a buffer overflow in PAN-OS’s User-ID Authentication Portal service. According to Palo Alto, exploitation does not require credentials or user interaction, and the attacker’s goal is remote code execution as root through specially crafted network packets. SecurityWeek likewise describes the flaw as a zero-day used to hack some firewall models, underscoring that this is not a theoretical issue.
The publicly described CVE-2026-0300 payload is not a malware file dropped to disk but a malicious packet sequence sent to the Captive Portal component. Neither the vendor advisory nor the cited media reports includes a public CVE-2026-0300 poc, but the confirmed in-the-wild exploitation means defenders should assume capable threat actors already understand the triggering conditions well enough to weaponize them.
From a risk standpoint, CVE-2026-0300 detection should focus on externally reachable Authentication Portal instances and signs of attempted access to that service from untrusted networks. Palo Alto’s advisory does not publish packet-level CVE-2026-0300 iocs, so defenders are better served by identifying exposed portal configurations, narrowing allowed source IP ranges, and prioritizing internet-facing firewalls for remediation.
Effective CVE-2026-0300 mitigation starts with reducing exposure before fixes land. Palo Alto recommends either restricting User-ID Authentication Portal access to trusted zones/internal IP addresses or disabling the portal entirely if it is not required. That advice is especially important because, at disclosure, the flaw was still unpatched, with the first wave of fixes expected on May 13, 2026 and additional releases on May 28, 2026 across supported 12.1, 11.2, 11.1, and 10.2 trains.
To Detect CVE-2026-0300 exposure in your environment, verify whether Device > User Identification > Authentication Portal Settings has the portal enabled and determine whether it is reachable from the internet or any untrusted network segment. Palo Alto’s advisory makes clear that customers following this hardening model are at greatly reduced risk compared with deployments that leave the service publicly accessible.
Organizations should also map affected firewalls to Palo Alto’s target fixed versions and prepare an upgrade plan as soon as the relevant release becomes available. Because limited exploitation is already underway, this is a case where configuration hardening and emergency change control should happen in parallel rather than waiting for normal maintenance windows.
What is CVE-2026-0300 and how does it work?
CVE-2026-0300 is a critical PAN-OS buffer overflow in the User-ID Authentication Portal (Captive Portal). Palo Alto says an unauthenticated attacker can send specially crafted packets to the service and achieve arbitrary code execution with root privileges on affected PA-Series and VM-Series firewalls.
When was CVE-2026-0300 first discovered?
Palo Alto’s advisory says the issue was discovered in production use and was published on May 5, 2026. The public coverage from The Hacker News and SecurityWeek followed on May 6, 2026.
What is the impact of CVE-2026-0300 on systems?
The impact is severe: unauthenticated remote code execution as root on exposed firewalls. Because the flaw affects security infrastructure at the network edge, successful exploitation could give an attacker privileged control over a highly sensitive enforcement point.
Can CVE-2026-0300 still affect me in 2026?
Yes. Any affected PA-Series or VM-Series firewall can still be at risk in 2026 if it has User-ID Authentication Portal enabled and exposed to untrusted IP addresses or the public internet, especially until the relevant patched PAN-OS release is installed.
How can I protect myself from CVE-2026-0300?
Restrict User-ID Authentication Portal access to trusted internal IPs, disable it if it is unnecessary, and move to Palo Alto’s fixed PAN-OS builds as soon as they are available for your release train. The vendor explicitly says these steps materially reduce risk while active exploitation continues.
The post CVE-2026-0300: Palo Alto PAN-OS Zero-Day Enables Root RCE on Exposed Firewalls appeared first on SOC Prime.
A newly disclosed CVE-2026-41940 vulnerability in cPanel & WHM has put internet-facing hosting infrastructure under urgent scrutiny. The flaw carries a CVSS score of 9.8 and can let an unauthenticated remote attacker bypass authentication and gain administrative access, while cPanel’s advisory says the issue affects cPanel software, including DNSOnly, across all versions after 11.40.
For defenders, CVE-2026-41940 detection should focus on exposed control panel instances, emergency patch validation, and session-file triage rather than malware hunting. Hosting provider KnownHost said the flaw was being actively exploited in the wild, and that a public technical analysis plus exploit code had already been released by watchTowr, raising the likelihood of broader opportunistic abuse.
The business risk is substantial because successful exploitation can give attackers control over the cPanel host, its configurations and databases, and the websites it manages. A simple Shodan query returned roughly 1.5 million exposed cPanel instances, underscoring how much attack surface may be available to both targeted and mass scanning activity.
The bug is describes as an authentication bypass rooted in CRLF injection during the login and session-loading process in cPanel & WHM. According to its technical overview, cpsrvd writes a new session file to disk before authentication completes, and an attacker can manipulate the whostmgrsession cookie so attacker-controlled values avoid the expected encryption path and are written into the session file unsanitized.
In practical terms, the vulnerability in CVE-2026-41940 lets an attacker inject arbitrary properties such as user=root into a session file, then trigger a reload so the application treats the session as administrative. That is why this issue is especially dangerous for shared hosting environments and server operators: it is not merely a login bug, but a route to privileged control over the management plane itself.
Unlike a malware dropper, the CVE-2026-41940 payload is a crafted authentication request that abuses newline injection and malformed session values to poison pre-auth session data. A public CVE-2026-41940 poc was already available through third-party research.
Official details for CVE-2026-41940 are broader than the exploit mechanics alone. cPanel says the issue affects cPanel software including DNSOnly, while patched builds were issued for 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, and 11.136.0.5, alongside WP Squared 136.1.7. TheCyberExpress also highlighted that administrators must verify the installed version and restart cpsrvd after updating.
Just as importantly, CVE-2026-41940 affects not only directly exposed cPanel & WHM systems but also operational workflows that rely on pinned builds or disabled automatic updates. That matters because cPanel warned that such servers will not auto-update and must be manually remediated as a priority, while unsupported versions may also remain exposed until organizations move to supported release tracks.
The vendor’s primary guidance is straightforward: update immediately to one of the fixed versions using /scripts/upcp –force, confirm the installed build with /usr/local/cpanel/cpanel -V, and restart the service with /scripts/restartsrv_cpsrvd. cPanel also says administrators should manually identify systems where updates are disabled or version pinning prevents automatic remediation.
When patching cannot happen right away, cPanel recommends temporary containment steps that include blocking inbound traffic on ports 2083, 2087, 2095, and 2096 at the firewall or stopping cpsrvd and cpdavd. TheCyberExpress echoed the same short-term advice and noted that some providers restricted panel access while broader patch rollout was underway.
To detect CVE-2026-41940, defenders should use the vendor’s filesystem-based detection script and review suspicious entries under /var/cpanel/sessions. cPanel’s script looks for session artifacts such as token_denied appearing together with cp_security_token, authenticated attributes inside pre-auth sessions, suspicious tfa_verified states, and malformed multi-line password values. Those published checks effectively act as CVE-2026-41940 iocs for post-exploitation triage.
If the script flags likely compromise, cPanel says defenders should purge affected sessions, force password resets for root and all WHM users, audit /var/log/wtmp and WHM access logs, and look for persistence such as cron entries, SSH keys, or backdoors. In other words, CVE-2026-41940 mitigation should be handled as both patching and incident response, not just a routine version upgrade. When patching cannot happen right away, cPanel recommends temporary containment steps that include blocking inbound traffic on ports 2083, 2087, 2095, 2096 and http ports 2082, 2086 at the firewall.
What is CVE-2026-41940 and how does it work?
It is a critical cPanel & WHM authentication bypass flaw that stems from session handling and CRLF injection in the login/session-loading flow. Attackers can manipulate pre-auth session data and ultimately create administrator-level access without valid credentials.
When was CVE-2026-41940 first discovered?
The private discovery date has not been publicly disclosed in the sources reviewed. Publicly, cPanel acknowledged the issue in a security advisory published on April 28, 2026.
What is the impact of CVE-2026-41940 on systems?
Successful exploitation can give an unauthenticated attacker administrative access to cPanel & WHM, which can translate into control over the host system, configurations, databases, and hosted websites. In shared hosting environments, that can turn a panel compromise into a full platform compromise.
Can CVE-2026-41940 still affect me in 2026?
Yes. Any exposed system that has not been updated to a fixed build can still be at risk in 2026, especially if automatic updates are disabled, the server is pinned to a vulnerable version, or it is running an unsupported release that has not yet been moved to a supported patched branch.
How can I protect myself from CVE-2026-41940?
Apply the vendor’s patched build immediately, restart cpsrvd, run the detection script against /var/cpanel/sessions, review for suspicious session artifacts, and treat any confirmed hit as a possible compromise requiring session purges, password resets, and log review. Short-term firewall restrictions can reduce exposure, but cPanel make clear that patching is the priority.
The post CVE-2026-41940: Critical cPanel & WHM Authentication Bypass Exposes Hosting Servers to Admin Takeover appeared first on SOC Prime.
Apple has released security updates to address a Notification Services issue in iOS and iPadOS that could cause alerts marked for deletion to remain stored on a device. The fix was delivered in iOS 26.4.2 / iPadOS 26.4.2 and iOS 18.7.8 / iPadOS 18.7.8, where Apple says the problem was resolved through improved data redaction.
The issue drew attention because it was patched outside Apple’s normal release cycle and was publicly linked to concerns that deleted notification content could remain recoverable on affected devices. Based on public reporting, the flaw may have allowed sensitive message previews to persist in internal notification storage longer than users would reasonably expect.
For defenders and privacy-focused users, the key concern is not traditional remote exploitation but unintended data retention. At the time of disclosure, Apple did not publish exploit samples, telemetry artifacts, or a public proof-of-concept, leaving many technical details for CVE-2026-28950 limited to the vendor advisory and media reporting.
Apple describes the issue as a logging-related flaw in Notification Services that allowed notifications intended for deletion to be unexpectedly retained on the device. In practice, this means content visible in alerts, such as message previews or other app-generated text, may continue to exist in local storage after the user assumes it has been removed.
Public reporting connected the patch to earlier forensic concerns involving message content recovered from notification storage on iPhones. While Apple did not explicitly confirm those reports as the direct trigger for the update, the description of the flaw closely aligns with the broader privacy risk described in public coverage.
The main security impact is on confidentiality rather than integrity or availability. The problem is especially relevant in environments where lock-screen notifications or mobile message previews may expose regulated, operational, or otherwise sensitive information. From that standpoint, the CVE-2026-28950 vulnerability is best understood as a privacy and data-remanence issue rather than a conventional code-execution bug.
Public reporting also leaves several gaps. Apple did not assign a public CVSS score in the cited coverage, and there are no published network indicators or forensic signatures that would support classic threat hunting. As a result, organizations should focus on version validation and privacy controls rather than looking for a known CVE-2026-28950 payload or a fixed list of CVE-2026-28950 IOCs.
The primary response is to install Apple’s fixed releases across affected iPhone and iPad fleets. Security teams should verify that supported devices have moved to the patched versions and prioritize users who regularly handle confidential communications, executive discussions, legal material, or regulated data on mobile devices.
An additional defense-in-depth step is to reduce the amount of sensitive information shown in notifications. Public reporting notes that Signal users, for example, can limit what appears in alerts by changing notification content settings to display less message text. While that does not replace patching, it can reduce exposure where private data might otherwise remain accessible in notification storage.
From an operational perspective, the most practical path is simple: inventory devices, confirm version compliance, and review notification-preview policies for high-risk user groups. This is a more realistic protection strategy than trying to Detect CVE-2026-28950 through conventional threat indicators, because the issue centers on retained local data rather than a well-documented exploit chain.
Additionally, by leveraging SOC Prime’s AI-Native Detection Intelligence Platform backed by top cyber defense expertise, global organizations can adopt a resilient security posture and transform their SOC to always stay ahead of emerging threats tied to zero-day exploitation.
What is CVE-2026-28950 and how does it work?
It is an iOS and iPadOS Notification Services flaw that could cause deleted notifications to remain stored on a device. Apple says the problem was caused by a logging issue and addressed it through improved data redaction.
When was CVE-2026-28950 first discovered?
The public sources do not provide a private discovery date. What is confirmed is that Apple released fixes on April 22, 2026.
What is the impact of CVE-2026-28950 on systems?
The main impact is exposure of sensitive notification content that may remain on the device after deletion. This can matter in forensic, privacy, or device-access scenarios where retained alert data could reveal message previews or other confidential content.
Can CVE-2026-28950 still affect me in 2026?
Yes. Devices that have not been updated to the patched releases may still be exposed during 2026, particularly if apps display sensitive content in notifications.
How can I protect myself from CVE-2026-28950?
Install Apple’s updates, verify device compliance, and reduce sensitive notification previews where possible. For privacy-sensitive environments, limiting the amount of message content shown in alerts is a sensible additional safeguard. If you want, I can now also make the meta title, meta description, and excerpt match this less-keyword-stuffed style.
The post CVE-2026-28950: Apple Fixes iOS Flaw That Retained Deleted Notification Data appeared first on SOC Prime.
Microsoft has released out-of-band updates for CVE-2026-40372, a high-impact ASP.NET Core privilege-escalation vulnerability tied to the platform’s Data Protection cryptographic APIs. Public reporting says the flaw carries a CVSS score of 9.1 and could allow an unauthenticated attacker to forge authentication material and ultimately obtain SYSTEM privileges on affected systems.
The issue stands out not only because of its severity, but also because it was serious enough to trigger an emergency release outside the normal patch cycle. BleepingComputer reports Microsoft investigated after customers saw decryption failures following the .NET 10.0.6 update, while The Hacker News notes the bug was reported by an anonymous researcher and fixed in ASP.NET Core 10.0.7.
According to Microsoft details cited by both publications, CVE-2026-40372 stems from improper verification of a cryptographic signature in ASP.NET Core. More specifically, the affected Microsoft.AspNetCore.DataProtection 10.0.0–10.0.6 NuGet packages could compute the HMAC validation tag over the wrong bytes of the payload and then discard the computed hash in some cases. That breaks the trust model behind protected application data and opens the door to forged payloads that pass authenticity checks.
The attack surface is narrower than a generic “all ASP.NET Core apps are vulnerable” headline might suggest. The Hacker News says successful exploitation depends on three conditions: the application must use Microsoft.AspNetCore.DataProtection 10.0.6 from NuGet either directly or through a dependent package, the NuGet copy must actually be loaded at runtime, and the application must run on Linux, macOS, or another non-Windows operating system.
If those conditions are met, the impact can be severe. The affected validation routine may let an attacker forge payloads and decrypt previously protected values stored in items such as authentication cookies, antiforgery tokens, TempData, and OpenID Connect state. Microsoft also says exploitation could enable file disclosure and data modification, although it does not affect availability.
The most dangerous enterprise scenario is privilege escalation through trust abuse rather than noisy code execution. If an attacker can authenticate as a privileged user during the vulnerable window, the application may issue legitimately signed follow-on artifacts to the attacker, including refreshed sessions, API keys, or password-reset links. Those artifacts can remain valid even after the package is upgraded unless defenders also rotate the Data Protection key ring.
The primary fix is straightforward: update Microsoft.AspNetCore.DataProtection to version 10.0.7 and redeploy affected applications. Microsoft’s guidance, as quoted by BleepingComputer, is to apply the new package as soon as possible so the broken validation routine is corrected and forged payloads are rejected going forward.
That said, patching alone may not fully close the exposure. Both reports note that tokens issued during the vulnerable period can remain valid after upgrading unless the Data Protection key ring is rotated. In practice, organizations should treat key rotation as part of the remediation workflow, especially for internet-facing apps that rely heavily on cookies, antiforgery tokens, password-reset flows, or other signed application state. That last prioritization is an operational inference based on the affected token types and exploit preconditions.
A practical response plan is to identify non-Windows ASP.NET Core applications that loaded the vulnerable NuGet package at runtime, patch them to 10.0.7, rotate the Data Protection key ring, and review whether privileged sessions or other signed artifacts may have been issued while the application was exposed. Where feasible, teams should also consider expiring or reissuing sensitive session material after remediation. The package-and-runtime triage criteria come directly from Microsoft’s published conditions; the token review and reissuance step is a reasonable defensive inference from Microsoft’s warning that legitimately signed tokens may survive the upgrade.
Additionally, by leveraging SOC Prime’s AI-Native Detection Intelligence Platform backed by top cyber defense expertise, global organizations can adopt a resilient security posture and transform their SOC to always stay ahead of emerging threats tied to zero-day exploitation.
What is CVE-2026-40372 and how does it work?
CVE-2026-40372 is an ASP.NET Core privilege-escalation flaw in the Data Protection cryptographic APIs. The affected packages can validate the wrong bytes and discard the computed HMAC in some cases, which can let attackers forge protected payloads and abuse application trust mechanisms such as authentication cookies and other signed state.
When was CVE-2026-40372 first discovered?
The precise private discovery date is not stated in the two reports. What is public is that Microsoft released out-of-band fixes on April 22, 2026, and BleepingComputer says Microsoft began investigating after customers reported decryption failures following the .NET 10.0.6 update. The Hacker News also says an anonymous researcher was credited with reporting the flaw.
What is the impact of CVE-2026-40372 on systems?
Successful exploitation can allow forged payloads, disclosure of protected data, file disclosure, data modification, and privilege escalation up to SYSTEM on affected systems. The reports also note that availability is not impacted.
Can CVE-2026-40372 still affect me in 2026?
Yes. Systems may still be exposed in 2026 if they continue to run the vulnerable Data Protection package under the affected conditions, especially on Linux, macOS, or other non-Windows hosts. Even after patching, artifacts issued during the vulnerable window may remain valid until the Data Protection key ring is rotated.
How can I protect myself from CVE-2026-40372?
Update Microsoft.AspNetCore.DataProtection to 10.0.7, redeploy affected applications, rotate the Data Protection key ring, and review whether sensitive signed artifacts such as authentication cookies, refresh sessions, API keys, or reset links should be invalidated or reissued. The package update and key-ring rotation are directly supported by Microsoft’s guidance; invalidation and reissuance are prudent follow-on actions based on the risk Microsoft described.
The post CVE-2026-40372: Critical ASP.NET Core Flaw May Let Attackers Gain SYSTEM Privileges appeared first on SOC Prime.
The False Sense of Security SMB signing on domain controllers has become standard practice across most Active Directory environments. But this hardening may have created a false sense of security. CVE-2025-33073 changes the calculus by removing the prerequisite of admin access, enabling NTLM relay attack Active Directory exploitation through unconstrained delegation. Domain controllers enforce SMB […]
The post Reflecting on Your Tier Model: CVE-2025-33073 and the One-Hop Problem appeared first on Praetorian.
The post Reflecting on Your Tier Model: CVE-2025-33073 and the One-Hop Problem appeared first on Security Boulevard.
GitHub published 4,101 reviewed advisories in 2025. This is the fewest number of reviewed advisories since 2021. Does this mean open source is shipping more secure code? Let’s dig into the data to find out.
Fewer advisories reviewed doesn’t mean fewer vulnerabilities were reported. The drop is because GitHub reviewed far fewer older vulnerabilities. When you look only at newly reported vulnerabilities from our sources, GitHub actually reviewed 19% more advisories year over year.
So why the change? Quite frankly, we are running out of unreviewed vulnerabilities that are older than the Advisory Database. At the same time, the number of newly reported vulnerabilities hasn’t dropped.
It’s also worth clarifying that “unreviewed” in the database can be misleading: most advisories marked unreviewed have already been looked at by a curator and found not to affect any package in a supported ecosystem, so they may never be fully reviewed.
This means that you should be receiving fewer brand-new Dependabot alerts about old vulnerabilities.
Note: If you find an unreviewed advisory that affects a supported package, please let us know so we can get it reviewed!
The distribution of ecosystems in advisories reviewed in 2025 is similar to the overall distribution in the database, with the exception of Go. Go is overrepresented in 2025 advisories by 6%. This is largely due to dedicated campaigns to re-examine potentially missing advisories found through an internal review for packages where we had inconsistent coverage.
| Rank | Common Weakness Enumeration (CWE) | Number of 2025 Advisories* | Change in Rank from 2024 | Change in Rank from the Overall Database |
|---|---|---|---|---|
| 1 | CWE-79 | 672 | +0 | +0 |
| 2 | CWE-22 | 214 | +2 | +1 |
| 3 | CWE-863 | 169 | +9 | +8 |
| 4 | CWE-20 | 154 | +1 | +1 |
| 5 | CWE-200 | 145 | -2 | -1 |
| 6 | CWE-400 | 144 | +4 | +0 |
| 7 | CWE-770 | 136 | +7 | +10 |
| 8 | CWE-502 | 134 | +5 | +1 |
| 9 | CWE-94 | 119 | -3 | -1 |
| 10 | CWE-918 | 103 | +5 | +8 |
* An advisory may have more than CWE. For example, an advisory might have both CWE-400 and CWE-770. It would then count for both.
As usual, cross-site scripting (CWE-79) is by far the most common vulnerability type. However, there are significant changes in the following areas. Resource exhaustion (CWE-400 and CWE-770), unsafe deserialization (CWE-502), and server-side request forgery (CWE-918) were unusually common in 2025. CWE-863 (“Incorrect Authorization”) saw a significant jump, but that is largely due to reclassification away from CWE-284 (“Improper Access Control”) and CWE-285 (“Improper Authorization”), which are higher level CWEs that the CWE program discourages using.
One of the biggest quality improvements in 2025 was more specific, more consistent CWE tagging. Advisories without any CWE dropped 85% (from 452 in 2024 to 65 in 2025). CWE-20 (“Improper Input Validation”) is still common, but in prior years it was often the only CWE listed on an advisory.
In 2025, advisories far more often list CWE-20 plus one or more additional CWEs that describe the concrete failure mode. This added specificity makes the data more actionable for triage, prioritization, and remediation.
To find out how to filter Dependabot alerts by CWE, see our documentation on auto-triage rules.
We provide two scoring systems for prioritization:
Together, they can give you a head start on your risk assessment process.
As you can see, when considering impact, most vulnerabilities skew moderate to high of the impact range. Low-impact vulnerabilities are likely more common than the CVSS data suggests but are often not considered worth the time and effort for researchers and maintainers to report. The EPSS scores for moderate to high impact vulnerabilities support this decision.
So should you trust the EPSS or CVSS scores? To judge that, let’s look at how they match up to vulnerabilities in CISA’s Known Exploited Vulnerabilities Catalog. The exploited vulnerabilities are at least scored moderate, and most are critical or high. While CVSS has more of the exploited vulnerabilities as critical, it also has far more vulnerabilities in the range in general. Combining the two can help you prioritize which vulnerabilities to address to prevent exploitation.
2025 was a huge year for npm malware advisories. Due to large malware campaigns, such as SHA1-Hulud, GitHub saw a 69% increase in published malware advisories compared to 2024. This is the most malware advisories GitHub has published since our initial release of historical malware when we added support in 2022.
You can receive Dependabot alerts when your repositories depend on npm packages with known malicious versions. When you enable malware alerting, Dependabot matches your npm dependencies against malware advisories in the GitHub Advisory Database.
2025 was a big year for the GitHub, Inc. CNA. We saw a 35% increase in published CVE records, outpacing the overall CVE Project’s increase of 21%.
In fact, we saw 10 to 16% growth every quarter. If this trend continues, GitHub will publish over 50% more CVEs in 2026.
You can help make that a reality by requesting a CVE from us the next time you publish a repository security advisory about a vulnerability!
Every year, GitHub sees more organizations use its CNA services. 2025 is no exception with a 20% increase in new organizations requesting CVE IDs.
Unlike reviewed global advisories, which are always mapped to packages in ecosystems we support, any maintainer on GitHub can request a CVE, even if they don’t publish that package to a supported ecosystem. In fact, 2025 is the first year that GitHub has published more CVEs from organizations that do not use a supported ecosystem than those that do.
We would like to thank all 987 organizations that published CVEs with us in 2025 and highlight the top 10 most prolific organizations.
| Top 10 organizations using the GitHub CNA | |
|---|---|
| Organization | Number of 2025 CVEs |
| LabReDeS (WeGIA)* | 130 |
| XWiki | 40 |
| Frappe | 28 |
| Discourse | 27 |
| Enalean | 27 |
| FreeScout* | 27 |
| DataEase | 26 |
| Nextcloud | 25 |
| GLPI | 24 |
| DNN Software* | 23 |
* Organizations that published CVEs through GitHub for the first time in 2025
The data from 2025 shows incredible growth:
These numbers represent real security improvements for millions of developers.
You can be part of this in 2026. Here’s how:
Publishing CVEs shouldn’t be complicated. Request a CVE directly from your repository security advisory, and we’ll take care of curating and publishing it for you. It’s free, it’s fast, and it helps the entire ecosystem understand and respond to vulnerabilities.
Found an unreviewed advisory affecting a supported package? See incorrect severity scores or missing affected versions? Suggest edits. Your edits will be reviewed by the Advisory Database team and ultimately, will help make the database more accurate for everyone. In 2025, 675 contributions from the community improved the quality of this data for the entire software industry!
The most direct impact you can have is protecting your own code. Enable Dependabot to automatically receive security updates and explore GitHub Advanced Security for comprehensive protection.
Let researchers know how to report to you and what you will and will not accept by creating a security policy for your repository. Enable private vulnerability reporting to make the coordination process smooth and secure.
Let’s make 2026 even better. See you in next year’s review! 🚀
The post A year of open source vulnerability trends: CVEs, advisories, and malware appeared first on The GitHub Blog.
Kaspersky Security Services provide a comprehensive cybersecurity ecosystem, taking enterprise threat protection to another level. Services like Kaspersky Managed Detection and Response and Compromise Assessment allow for timely detection of threats and cyberattacks. SOC Consulting provides a practical approach ensuring the corporate infrastructure stays secured, while Incident Response is suited for timely remediation with a maximized recovery rate.
High-level overview of the MDR, IR and CA connection
This new report brings together statistics across regions and industries from our Managed Detection and Response and Incident Response services, and for the first time, it also includes insights from our Compromise Assessment and SOC Consulting services — all to provide you with more comprehensive view of different aspects of corporate information security worldwide.
Provision of Kaspersky’s MDR and IR services follows a global approach. The majority of customers accounted for the CIS (34.7%), the Middle East (20.1%), and Europe (18.6%).
Distribution of customers by geographical region, 2025
Following the previous year’s numbers, in 2025, the MDR infrastructure received and processed an average of 15,000 telemetry events per host every day, generating security alerts as a result. These alerts are first processed by AI-powered detection logic, after which Kaspersky SOC analysts handle them as required. Overall, a total of approximately 400,000 alerts were generated in 2025. After counting out false positives, 39,000 alerts were further investigated.
MDR telemetry statistics, 2025
The distribution of remediation requests by industry has slightly changed as compared to previous years’ pattern. Government (18.5%) and industrial (16.6%) organizations are still the most targeted industries in regards to cyberattacks that require incident response activities. However, this year, the IT sector saw a growth in the number of IR requests, eventually being placed third in the overall industry distribution rankings and thus replacing financial organizations, which were targeted less often than in 2024. This is equally true for smaller-scale attacks that can be contained and remediated through automated means — the only difference is that medium- and low-severity incidents are more often experienced by financial organizations.
Distribution of all incidents by industry sector, 2025
This section presents key findings and trends in cyberattacks in 2025:
The full 2026 Global Report provides additional information about cyberattacks, including real-world cases discovered by Kaspersky experts. We also describe SOC Consulting projects and Compromise Assessment requests. The report includes comprehensive analysis of initial attack vectors in correlation with the MITRE ATT&CK tactics and techniques and the full list of vulnerabilities that we detected during Incident Response engagements.
Just a little over a month after fixing the actively exploited CVE-2026-20700 zero-day, Apple has now issued its first Background Security Improvements release to address CVE-2026-20643, a WebKit vulnerability that could allow maliciously crafted web content to bypass the Same Origin Policy, one of the browser’s core security boundaries.
The issue in the limelight adds to the constantly rising vulnerability threat. Experts forecast that 2026 will be the first year to surpass 50,000 published CVEs, with a median estimate of 59,427 and a realistic possibility of far higher totals. At the same time, the NIST has already recorded over 13K+ vulnerabilities this year, underscoring the growing scale defenders must monitor.
Sign up for the SOC Prime Platform to access the global marketplace of 800,000+ detection rules and queries made by detection engineers, updated daily, and enriched with AI-native threat intel to proactively defend against emerging threats.
Just click the Explore Detections below and immediately reach the extensive detection stack filtered out by “CVE” tag. All detections are compatible with dozens of SIEM, EDR, and Data Lake formats and are mapped to MITRE ATT&CK®.
Security experts can also leverage Uncoder AI to accelerate detection engineering end-to-end by generating rules directly from live threat reports, refining and validating detection logic, visualizing Attack Flows, converting IOCs into custom hunting queries, and instantly translating detection code across diverse language formats.
CVE-2026-20643 affects WebKit, the browser engine behind Safari and a wide range of Apple web content handling across iPhone, iPad, and Mac. Apple’s advisory says the flaw could allow maliciously crafted web content to bypass the Same Origin Policy because of a cross-origin issue in the Navigation API.
Notably, the Same Origin Policy is one of the web’s foundational protections. It is meant to stop one website from reaching into the data, sessions, or active content of another. When this boundary is breached, a malicious webpage may access data from another site, undermining one of the basic rules browsers rely on to keep web activity separate and private.
The exposure is broader than Safari alone. WebKit powers Safari, many third-party browsers on iOS and iPadOS, and in-app web views across Apple platforms. In practice, that means the vulnerable component is exercised not only when a user browses the web directly, but also when apps load embedded web content.
Apple has not mentioned that CVE-2026-20643 was exploited in the wild, and its advisory focuses on the technical impact rather than observed attack activity. Still, the issue resides in a high-exposure component that processes untrusted web content constantly. In enterprise environments, a flaw that weakens browser isolation can increase the risk of session abuse, cross-site data access, and follow-on compromise through malicious or compromised web content.
What makes Apple’s latest release especially notable is how the vendor delivered the fix. Background Security Improvements is designed to ship smaller security patches between full software updates. It is currently available on the latest versions of iOS, iPadOS, and macOS. In the case of CVE-2026-20643, Apple used the new mechanism to push a WebKit fix directly to supported devices instead of waiting for a broader release.
Apple addressed CVE-2026-20643 through its first Background Security Improvements release for supported iPhone, iPad, and Mac devices. The fix was shipped as the corresponding “(a)” update for iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2, with Apple citing improved input validation as the remediation. Security researcher Thomas Espach was credited with reporting the flaw.
Apple says Background Security Improvements are managed from the Privacy & Security menu. Apple recommends keeping Automatically Install enabled so devices receive these fixes between normal software releases.
Notably, if Background Security Improvements are turned off, the device will not receive these protections until they are included in a later software update. Apple also says that removing an installed Background Security Improvement reverts the device to the baseline software version without any applied background security patches. For that reason, the safest path is to leave automatic installation on and avoid removing the update unless a compatibility issue makes it necessary.
Additionally, by leveraging SOC Prime’s AI-Native Detection Intelligence Platform backed by top cyber defense expertise, global organizations can adopt a resilient security posture and transform their SOC to always stay ahead of emerging threats tied to zero-day exploitation.
What is CVE-2026-20643 and how does it work?
CVE-2026-20643 is a WebKit vulnerability affecting iOS, iPadOS, and macOS. Apple describes it as a cross-origin issue in the Navigation API that may allow maliciously crafted web content to bypass the Same Origin Policy.
When was CVE-2026-20643 disclosed?
Apple published the security advisory for CVE-2026-20643 on March 17, 2026, alongside its first Background Security Improvements release covering this flaw.
What is the impact of CVE-2026-20643 on systems?
The main impact is a breakdown in browser isolation. If exploited, the flaw may let malicious web content bypass the Same Origin Policy, which is designed to prevent one site from accessing data or active content from another.
Can CVE-2026-20643 still affect me in 2026?
Yes. Devices that have not received the relevant Background Security Improvements release, or where those protections were disabled or removed, may still remain exposed while running affected versions.
How can I protect from CVE-2026-20643?
Install the applicable Background Security Improvements release for your current Apple OS version and make sure Automatically Install is enabled under Privacy & Security so future fixes are applied without delay.
The post CVE-2026-20643: Vulnerability in WebKit Navigation API May Bypass Same Origin Policy appeared first on SOC Prime.
Microsoft releases an out-of-band hotpatch for critical Windows 11 RRAS vulnerabilities that could allow remote code execution through malicious remote servers.
The post Microsoft Issues Emergency Patch for Critical Windows 11 RRAS Vulnerabilities appeared first on TechRepublic.
Chrome zero-days continue to pose a major risk for cyber defenders. Earlier this year, Google patched CVE-2026-2441, the first actively exploited Chrome zero-day of 2026. Now, another emergency update has been released, fixing two more flaws already exploited in the wild, CVE-2026-3910 in Chrome’s V8 JavaScript and WebAssembly engine and CVE-2026-3909, an out-of-bounds write bug in Skia.
Google describes CVE-2026-3910 as an inappropriate implementation issue in Chrome V8. In essence, a crafted HTML page may allow a remote attacker to execute arbitrary code inside the browser sandbox.
The latest Chrome emergency patch lands against an increasing zero-day threat. Google Threat Intelligence Group tracked 90 zero-days exploited in the wild in 2025, up from 78 in 2024, and found that enterprise technologies accounted for 43 cases, or a record 48% of observed exploitation.
Register for SOC Prime’s AI-Native Detection Intelligence Platform, backed by cutting-edge technologies and top cybersecurity expertise to outscale cyber threats and build a resilient cybersecurity posture. Click Explore Detections to access the comprehensive collection of SOC content for vulnerability exploit detection, filtered by the custom “CVE” tag.
Detections from the dedicated rule set can be applied across 40+ SIEM, EDR, and Data Lake platforms and are mapped to the latest MITRE ATT&CK® framework v18.1. Security teams can also leverage Uncoder AI to accelerate detection engineering end-to-end by generating rules directly from live threat reports, refining and validating detection logic, auto-visualizing Attack Flows, converting IOCs into custom hunting queries, and instantly translating detection code across diverse language formats.
According to Google’s security advisory, CVE-2026-3910 is a high-severity vulnerability in V8, the JavaScript and WebAssembly engine used by Chrome. It can be triggered through a crafted HTML page and may allow arbitrary code execution inside the browser sandbox. Because V8 processes active content during normal browsing, exploitation can begin with something as simple as visiting a malicious or compromised website.
The risk is substantial because Chrome is deeply embedded in daily enterprise work. An actively exploited V8 flaw can turn ordinary browsing into a path for credential theft, malicious code delivery, or broader compromise, especially when combined with other bugs or phishing.
Google has confirmed that CVE-2026-3910 is being exploited in the wild, but has not published technical details about the exploitation chain.
The same Chrome update also fixed CVE-2026-3909, a high-severity out-of-bounds write vulnerability in the Skia graphics library. Google says the flaw is also being exploited in the wild. Because it affects another core browser component and was fixed in the same emergency release, organizations should apply the full update without delay rather than focus on CVE-2026-3910 alone.
The recommended mitigation is to update Chrome immediately to the latest patched Stable Channel build. Google says the fixed desktop versions are 146.0.7680.75 and 146.0.7680.76 for Windows and macOS and 146.0.7680.75 for Linux. Because Google has confirmed in-the-wild exploitation, organizations should prioritize the update across employee endpoints, administrator workstations, and shared systems used for browsing.
Organizations using Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi should also monitor for corresponding vendor patches, since those products may inherit exposure from the same underlying codebase.
Additionally, by leveraging SOC Prime’s AI-Native Detection Intelligence Platform backed by top cyber defense expertise, global organizations can adopt a resilient security posture and transform their SOC to always stay ahead of emerging threats tied to zero-day exploitation.
What is CVE-2026-3910 and how does it work?
CVE-2026-3910 is a high-severity vulnerability in Chrome’s V8 JavaScript and WebAssembly engine. Google describes it as an inappropriate implementation flaw that can be triggered with a crafted HTML page, allowing a remote attacker to execute arbitrary code inside the browser sandbox.
When was CVE-2026-3910 first discovered?
Google’s advisory says the vulnerability was reported on March 10, 2026.
What is the impact of CVE-2026-3910 on systems?
The main risk is that malicious web content could trigger code execution inside Chrome’s browser sandbox. In real attacks, that can turn routine browsing into an entry point for credential theft, malware delivery, or further compromise when paired with other techniques.
Can CVE-2026-3910 still affect me in 2026?
Yes. Any Chrome installation that has not yet been updated to the patched build may still be exposed. Google explicitly says exploits for CVE-2026-3910 exist in the wild.
How can I protect from CVE-2026-3910?
Update Chrome to version 146.0.7680.75 or 146.0.7680.76 on Windows and macOS or 146.0.7680.75 on Linux, then relaunch the browser to make sure the patched build is running. Organizations using Chromium-based alternatives should apply vendor fixes as soon as they become available.
The post CVE-2026-3910: Chrome V8 Zero-Day Used for In-the-Wild Attacks appeared first on SOC Prime.
The beginning of 2026 has brought a wave of zero-day vulnerabilities affecting Microsoft products, including the actively exploited Windows Desktop Window Manager flaw (CVE-2026-20805), the Microsoft Office zero-day (CVE-2026-21509) that prompted an out-of-band fix, and the Windows Notepad RCE bug (CVE-2026-20841). Microsoft’s March Patch Tuesday release keeps defenders busy again, this time shifting attention to CVE-2026-21262, a publicly disclosed SQL Server Elevation of Privilege (EoP) vulnerability that puts enterprise environments at risk.
Microsoft describes CVE-2026-21262 as an improper access control flaw that allows an authorized attacker to elevate privileges over a network. The bug carries a CVSS score of 8.8 and was one of two publicly disclosed zero-days addressed in March’s Patch Tuesday. While there is no confirmed evidence of active exploitation, the combination of public exposure, low attack complexity, and the possibility of privilege escalation inside a core database platform makes this one hard to dismiss as a routine patch.
In view of Microsoft’s broad reach across enterprise and consumer environments, vulnerabilities in its products can have a devastating impact. BeyondTrust reported that Microsoft disclosed a record 1,360 vulnerabilities in 2024, with Elevation of Privilege flaws being a top category. That continued into 2025, when Microsoft patched 1,129 vulnerabilities across the year, while EoP issues stayed at 50% of all fixes as of December 2025. Google Threat Intelligence Group adds another layer of context. It tracked 90 in-the-wild zero-days in 2025 and found that enterprise technologies made up a record 48% of observed exploitation.
Sign up for SOC Prime Platform to access the world’s largest detection intelligence dataset backed by an AI-powered product suite, helping SOC teams seamlessly handle everything from threat detection to simulation. Defenders can drill down to a relevant detection stack for vulnerability exploitation activity by pressing Explore Detections.
All rules are mapped to the latest MITRE ATT&CK® framework and are compatible with multiple SIEM, EDR, and Data Lake platforms. Additionally, each rule comes packed with broad metadata, including CTI references, attack flows, audit configurations, and more.
Cyber defenders can also use Uncoder AI to streamline their detection engineering routine. Turn raw threat reports into actionable behavior rules, test your detection logic, map out attack flows, turn IOCs into hunting queries, or instantly translate detection code across languages backed by the power of AI and deep cybersecurity expertise behind every step.
Microsoft’s March 2026 Patch Tuesday addressed over 80 vulnerabilities, including two publicly disclosed zero-days. Across the release, privilege escalation flaws dominated, with the total list containing 46 EoP bugs, 18 RCE flaws, 10 information disclosure bugs, 4 denial-of-service issues, 4 spoofing vulnerabilities, and 2 security feature bypass flaws.
CVE-2026-21262 stands out because it affects SQL Server, a platform many organizations rely on to run core applications and store high-value data. Successful exploitation can let attackers move from a low-privileged authenticated account to SQL sysadmin, which effectively means full control over the affected database instance. From there, hackers can access or alter data, change configuration, create new logins, or establish persistence inside the SQL environment.
The flaw does not provide initial access on its own. An attacker still needs valid credentials and network reachability to a vulnerable SQL Server instance. That limitation matters, but it should not create false confidence. In many enterprise environments, low-privileged database accounts are spread across applications, integration services, automation tooling, and legacy workloads, which makes post-compromise abuse a realistic scenario.
Microsoft’s March Patch Tuesday release also included several other vulnerabilities defenders should keep in focus. The second publicly disclosed zero-day is a .NET denial-of-service flaw (CVE-2026-26127). Microsoft also fixed two notable Office remote code execution bugs (CVE-2026-26110, CVE-2026-26113), which can be exploited through the Preview Pane. Another important issue is an Excel information disclosure flaw (CVE-2026-26144) that researchers say could potentially be abused to exfiltrate data through Copilot Agent mode.
According to Microsoft’s advisory, organizations running SQL Server should first identify the exact product version and current build, then install the March 10 security update that matches the instance’s servicing path.
Notably, the vendor distinguishes between the GDR path, which delivers security fixes only, and the CU path, which includes both security and functional fixes. If an instance has been following the GDR track, install the matching GDR package. If it has already been receiving CU releases, install the corresponding CU security update. Microsoft also notes that organizations can move from GDR to CU once, but cannot roll back from CU to GDR afterward.
The affected supported branches and corresponding updates include the following:
Alongside patching, defenders should review SQL logins and role assignments, reduce unnecessary privileges for service and application accounts, restrict network exposure to database servers, and monitor for unusual permission changes or newly assigned high-privilege roles. Because exploitation requires valid credentials, it is also worth reviewing embedded database credentials, shared service accounts, and secrets management practices across the environment.
Also, by enhancing the defenses with SOC Prime’s AI-Native Detection Intelligence Platform, SOC teams can source detection content from the largest and up-to-date repository, seamlessly adopt the full pipeline from detection to simulation into their security processes, orchestrate workflows in their natural language, and smoothly navigate the ever-changing threat landscape while strengthening defenses at scale.
What is CVE-2026-21262 and how does it work?
CVE-2026-21262 is a high-severity Elevation of Privilege vulnerability in Microsoft SQL Server. Microsoft describes it as an improper access control flaw that allows an authorized attacker to elevate privileges over a network. In practice, that means an attacker with valid low-privileged access to a vulnerable SQL Server instance may be able to abuse the flaw to gain far higher permissions
When was CVE-2026-21262 first discovered?
The vulnerability was officially disclosed and published on March 10, 2026, as part of Microsoft’s March Patch Tuesday release. Microsoft credited Erland Sommarskog with discovering the flaw.
What is the impact of CVE-2026-21262 on systems?
CVE-2026-21262 can let an authenticated attacker escalate privileges inside a vulnerable SQL Server instance, potentially reaching SQL sysadmin-level access. In practical terms, that could give an attacker broad control over the database environment, including the ability to access or alter sensitive data, change server settings, create new logins, and establish persistence within the affected SQL Server instance.
Can CVE-2026-21262 still affect me in 2026?
Yes. Any unpatched supported SQL Server deployment can still be exposed in 2026 if it is running a vulnerable build and an attacker has valid credentials plus network access to the instance. The flaw was publicly disclosed, which increases the chance of follow-on abuse even though Microsoft had not listed it as actively exploited at release time.
How can you protect from CVE-2026-21262?
Microsoft’s guidance is to identify your exact SQL Server version and then install the matching March 2026 security update for that servicing path. That means applying the correct GDR or CU package for SQL Server 2016 SP3, 2017, 2019, 2022, or 2025, depending on your current branch.
The post CVE-2026-21262: SQL Server Zero-Day Fixed in Microsoft’s March Patch Tuesday Release appeared first on SOC Prime.
For the last few months, we’ve been using the GitHub Security Lab Taskflow Agent along with a new set of auditing taskflows that specialize in finding web security vulnerabilities. They also turn out to be very successful at finding high-impact vulnerabilities in open source projects.
As security researchers, we’re used to losing time on possible vulnerabilities that turn out to be unexploitable, but with these new taskflows, we can now spend more of our time on manually verifying the results and sending out reports. Furthermore, the severity of the vulnerabilities that we’re reporting is uniformly high. Many of them are authorization bypasses or information disclosure vulnerabilities that allow one user to login as somebody else or to access the private data of another user.
Using these taskflows, we’ve reported more than 80 vulnerabilities so far. At the time of writing, approximately 20 of them have already been disclosed. And we’re continually updating our advisories page when new vulnerabilities are disclosed. In this blog post, we’ll show a few concrete examples of high-impact vulnerabilities that are found by these taskflows, like accessing personally identifiable information (PII) in shopping carts of ecommerce applications or signing in with any password into a chat application.
We’ll also explain how the taskflows work, so you can learn how to write your own. The security community moves faster when it shares knowledge, which is why we’ve made the framework open source and easy to run on your own project. The more teams using and contributing to it, the faster we collectively eliminate vulnerabilities.
Want to get started right away? The taskflows are open source and easy to run yourself! Please note: A GitHub Copilot license is required, and the prompts will use premium model requests. (Note that running the taskflows can result in many tool calls, which can easily consume a large amount of quota.)
Entrar./scripts/audit/run_audit.sh myorg/myrepoIt might take an hour or two to finish on a medium-sized repository. When it finishes, it’ll open an SQLite viewer with the results. Open the “audit_results” table and look for rows with a check-mark in the “has_vulnerability” column.
| Tip: Due to the non-deterministic nature of LLMs, it is worthwhile to perform multiple runs of these audit taskflows on the same codebase. In certain cases, a second run can lead to entirely different results. In addition to this, you might perform those two runs using different models (e.g., the first using GPT 5.2 and the second using Claude Opus 4.6). |
The taskflows also work on private repos, but you’ll need to modify the codespace configuration to do so because it won’t allow access to your private repos by default.
Taskflows are YAML files that describe a series of tasks that we want to do with an LLM. With them, we can write prompts to complete different tasks and have tasks that depend on each other. The seclab-taskflow-agent framework takes care of running the tasks sequentially and passing the results from one task to the next.
For example, when auditing a repository, we first divide the repository into different components according to their functionalities. Then, for each component, we may want to collect some information such as entry points where it takes untrusted input from, intended privilege, and purposes of the component, etc. These results are then stored in a database to provide the context for subsequent tasks.
Based on the context data, we can then create different auditing tasks. Currently, we have a task that suggests some generic issues for each component and another task that carefully audits each suggested issue. However, it’s also possible to create other tasks, such as tasks with specific focus on a certain type of issue.
These become a list of tasks we specify in a taskflow file.
We use tasks instead of one big prompt because LLMs have limited context windows, and complex, multi-step tasks are often not completed properly. For example, some steps can be left out. Even though some LLMs have larger context windows, we find that taskflows are still useful in providing a way for us to control and debug the tasks, as well as for accomplishing bigger and more complex projects.
The seclab-taskflow-agent can also run the same task across many components asynchronously (like a for loop). During audits, we often reuse the same prompt and task for every component, varying only the details. The seclab-taskflow-agent lets us define templated prompts, iterate through components, and substitute component-specific details as it runs.
After using seclab-taskflow-agent to triage CodeQL alerts, we decided we didn’t want to restrict ourselves to specific types of vulnerabilities and started to explore using the framework for more general security auditing. The main challenge in giving LLMs more freedom is the possibility of hallucinations and an increase in false positives. After all, the success with triaging CodeQL alerts was partly due to the fact that we gave the LLM a very strict and well-defined set of instructions and criteria, so the results could be verified at each stage to see if the instructions were followed.
So our goal here was to find a good way to allow the LLM the freedom to look for different types of vulnerabilities while keeping hallucinations under control.
We’re going to show how we used agent taskflows to discover high-impact vulnerabilities with high true positive rate using just taskflow design and prompt engineering.
To minimize hallucinations and false positives at the taskflow design level, our taskflow starts with a threat modelling stage, where a repository is divided into different components based on functionalities and various information, such as entry points, and the intended use of each component is collected. This information helps us to determine the security boundary of each component and how much exposure it has to untrusted input.
The information collected through the threat modelling stage is then used to determine the security boundary of each component and to decide what should be considered a security issue. For example, a command injection in a CLI tool with functionality designed to execute any user input script may be a bug but not a security vulnerability, as an attacker able to inject a command using the CLI tool can already execute any script.
At the level of prompts, the intended use and security boundary that is discovered is then used in the prompts to provide strict guidelines as to whether an issue found should be considered a vulnerability or not.
You need to take into account of the intention and threat model of the component in component notes to determine if an issue is a valid security issue or if it is an intended functionality. You can fetch entry points, web entry points and user actions to help you determine the intended usage of the component.Asking an LLM something as vague as looking for any type of vulnerability anywhere in the code base would give poor results with many hallucinated issues. Ideally, we’d like to simulate the triage environment where we have some potential issues as the starting point of analysis and ask the LLM to apply rigorous criteria to determine whether the potential issue is valid or not.
To bootstrap this process, we break the auditing task into two steps.
In this setup, the suggestions from the first step act as some inaccurate vulnerability alerts flagged by an “external tool,” while the second step serves as a triage step. While this may look like a self-validating process—by breaking it down into two steps, each with a fresh context and different prompts—the second step is able to provide an accurate assessment of suggestions.
We’ll now go through these tasks in detail.
When triaging alerts flagged by automatic code scanning tools, we found that a large proportion of false positives is the result of improper threat modeling. Most static analysis tools do not take into account the intended usage and security boundary of the source code and often give results that have no security implications. For example, in a reverse proxy application, many SSRF (server-side request forgery) vulnerabilities flagged by automated tools are likely to fall within the intended use of the application, while some web services used, for example, in continuous integration pipelines are designed to execute arbitrary code and scripts within a sandboxed environment. Remote code execution vulnerabilities in these applications without a sandboxed escape are generally not considered a security risk.
Given these caveats, it pays to first go through the source code to get an understanding of the functionalities and intended purpose of code. We divide this process into the following tasks:
identify_applications taskflow, which asks the LLM to inspect the repository’s source code and documentation and divide it into components by functionality. At each of the above steps, information gathered about the repository is stored in a database. This includes components in the repository, their entry points, web entry points, and intended usage. This information is then available for use in the next stage.
At this stage, we instruct the LLM to suggest some types of vulnerabilities, or a general area of high security risk for each component based on the information about the entry point and intended use of the component gathered from the previous step. In particular, we put emphasis on the intended usage of the component and its risk from untrusted input:
Base your decision on:
- Is this component likely to take untrusted user input? For example, remote web request or IPC, RPC calls?
- What is the intended purpose of this component and its functionality? Does it allow high privileged action?
Is it intended to provide such functionalities for all user? Or is there complex access control logic involved?
- The component itself may also have its own `README.md` (or a subdirectory of it may have a `README.md`). Take a look at those files to help understand the functionality of the component.We also explicitly instruct the LLM to not suggest issues that are of low severity or are generally considered non-security issues.
However, you should still take care not to include issues that are of low severity or requires unrealistic attack scenario such as misconfiguration or an already compromised system.In general, we keep this stage relatively free of restrictions and allow the LLM freedom to explore and suggest different types of vulnerabilities and potential security issues. The idea is to have a reasonable set of focus areas and vulnerability types for the actual auditing task to use as a starting point.
One problem we ran into was that the LLM would sometimes start auditing the issues that it suggested, which would defeat the purpose of the brainstorming phase. To prevent this, we instructed the LLM to not audit the issues.
This is the final stage of the taskflows. Once we’ve gathered all the information we need about the repository and have suggested some types of vulnerabilities and security risks to focus on, the taskflow goes through each suggested issue and audits them by going through the source code. At this stage, the task starts with fresh context to scrutinize the issues suggested from the previous stage. The suggestions are considered to be unvalidated, and this taskflow is instructed to verify these issues:
The issues suggested have not been properly verified and are only suggested because they are common issues in these types of application. Your task is to audit the source code to check if this type of issues is present.To avoid the LLM coming up with issues that are non-security related in the context of the component, we once again emphasize that intended usage must be taken into consideration.
You need to take into account of the intention and threat model of the component in component notes to determine if an issue is a valid security issue or if it is an intended functionality.To avoid the LLM hallucinating issues that are unrealistic, we also instruct it to provide a concrete and realistic attack scenario and to only consider issues that stem from errors in the source code:
Do not consider scenarios where authentication is bypassed via stolen credential etc. We only consider situations that are achievable from within the source code itself.
...
If you believe there is a vulnerability, then you must include a realistic attack scenario, with details of all the file and line included, and also what an attacker can gain by exploiting the vulnerability. Only consider the issue a vulnerability if an attacker can gain privilege by performing an action that is not intended by the component.To further reduce hallucinations, we also instruct the LLM to provide concrete evidence from the source code, with file path and line information:
Keep a record of the audit notes, be sure to include all relevant file path and line number. Just stating an end point, e.g. `IDOR in user update/delete endpoints (PUT /user/:id)` is not sufficient. I need to have the file and line number.Finally, we also instruct the LLM that it is possible that there is no vulnerability in the component and that it should not make things up:
Remember, the issues suggested are only speculation and there may not be a vulnerability at all and it is ok to conclude that there is no security issue.The emphasis of this stage is to provide accurate results while following strict guidelines—and to provide concrete evidence of the findings. With all these strict instructions in place, the LLM indeed rejects many unrealistic and unexploitable suggestions with very few hallucinations.
The first prototype was designed with hallucination prevention as a priority, which raised a question: Would it become too conservative, rejecting most vulnerability candidates and failing to surface real issues?
The answer is clear after we ran the taskflow on a few repositories.
In this section, we’ll show three examples of vulnerabilities that were found by the taskflows and that have already been disclosed. In total, we have found and reported over 80 vulnerabilities so far. We publish all disclosed vulnerabilities on our advisories page.
Our information-gathering taskflows are optimized toward web applications, which is why we first pointed our audit taskflows to a collaborative web application called Outline.
Outline is a multi-user collaboration suite with properties we were especially interested in:
And success: Our taskflows found a bug in the authorization logic on the very first run!
The notes in the audit results read like this:
Audit target: Improper membership management authorization in component server (backend API) of outline/outline (component id 2).
Summary conclusion: A real privilege escalation vulnerability exists. The document group membership modification endpoints (documents.add_group, documents.remove_group) authorize with the weaker \"update\" permission instead of the stronger \"manageUsers\" permission that is required for user membership changes. Because \"update\" can be satisfied by having only a ReadWrite membership on the document, a non‑admin document collaborator can grant (or revoke) group memberships – including granting Admin permission – thereby escalating their own privileges (if they are in the added group) and those of other group members. This allows actions (manageUsers, archive, delete, etc.) that were not intended for a mere ReadWrite collaborator.Reading the TypeScript-based source code and verifying this finding on a test instance revealed that it was exploitable exactly as described. In addition, the described steps to exploit this vulnerability were on point:
Prerequisites:
- Attacker is a normal team member (not admin), not a guest, with direct ReadWrite membership on Document D (or via a group that grants ReadWrite) but NOT Admin.
- Attacker is a member of an existing group G in the same team (they do not need to be an admin of G; group read access is sufficient per group policy).
Steps:
1. Attacker calls POST documents.add_group (server/routes/api/documents/documents.ts lines 1875-1926) with body:
{
"id": "<document-D-id>",
"groupId": "<group-G-id>",
"permission": "admin"
}
2. Authorization path:
- Line 1896: authorize(user, "update", document) succeeds because attacker has ReadWrite membership (document.ts lines 96-99 allow update).
- Line 1897: authorize(user, "read", group) succeeds for any non-guest same-team user (group.ts lines 27-33).
No \"manageUsers\" check occurs.
3. Code creates or updates GroupMembership with permission Admin (lines 1899-1919).
4. Because attacker is a member of group G, their effective document permission (via groupMembership) now includes DocumentPermission.Admin.
5. With Admin membership, attacker now satisfies includesMembership(Admin) used in:
- manageUsers (document.ts lines 123-134) enabling adding/removing arbitrary users via documents.add_user / documents.remove_user (lines 1747-1827, 1830-1872).
- archive/unarchive/delete (document.ts archive policy lines 241-252; delete lines 198-208) enabling content integrity impact.
- duplicate, move, other admin-like abilities (e.g., duplicate policy lines 136-153; move lines 155-170) beyond original ReadWrite scope.Using these instructions, a low-privileged user could add arbitrary groups to a document that the user was only allowed to update (the user not being in the possession of the “manageUsers” permission that was typically required for such changes).
In this sample, the group “Support” was added to the document by the low-privileged user named “gg.”
The Outline project fixed this and another issue we reported within three days! (Repo advisory)
We didn’t realize what systematic issues we’d uncover in the cart logic of ecommerce applications until we pointed our taskflows at the first online shop in our list. In the PHP-based WooCommerce project, the taskflows promptly found a way for normally signed-in shop users to view all guest orders—including personally identifiable information (including names, addresses, and phone numbers). After we reported this, Automattic (the company behind WooCommerce) quickly released an update (CVE-2025-15033) and accompanying blog post.
Intrigued by that vulnerability, we’ve added additional ecommerce applications to our list of applications to be audited by our agent. And sure enough, we found more vulnerabilities. The popular Ruby-based Spree commerce application contained two similar vulnerabilities (CVE-2026-25758 and CVE-2026-25757). The more critical one allowed unauthenticated users to simply enumerate the addresses (and phone numbers) of all guest orders by more or less incrementing a sequential number.
In this screenshot, the attacker “test66” linked their session to an existing address of a guest user, thus being able to view the full address and phone number.
Our bug-hunting spree didn’t stop with Spree. Our taskflows uncovered similar issues in two additional ecommerce applications.
These authorization logic bugs had been undiscovered for years.
(This is not what passwordless authentication should look like!)
Every so often you can’t believe your eyes. This finding reported by our taskflows in Rocket.Chat was one of those moments.
When your agent comes back with a note like this:
VULNERABILITY: password authentication bypass in account-service allows logging in as any user with a password set.You might find it hard to believe at first.
When you then continue reading the output:
Root cause:
- ee/apps/account-service/src/lib/utils.ts:60-61: `validatePassword` returns `Promise<boolean>` (bcrypt.compare(...)).
- ee/apps/account-service/src/lib/loginViaUsername.ts:18-21: `const valid = user.services?.password?.bcrypt && validatePassword(password, user.services.password.bcrypt);` but does NOT `await` the Promise; since a Promise is truthy, `if (!valid) return false;` is never triggered when bcrypt hash exists.
- ee/apps/account-service/src/lib/loginViaUsername.ts:23-35: proceeds to mint a new login token and saves it, returning `{ uid, token, hashedToken, tokenExpires }`.It might make more sense, but you’re still not convinced.
It turns out the suspected finding is in the micro-services based setup of Rocket.Chat. In that particular setup, Rocket.Chat exposes its user account service via its DDP Streamer service.
Once our Rocket.Chat test setup was working properly, we had to write proof of concept code to exploit this potential vulnerability. The notes of the agent already contained the JSON construct that we could use to connect to the endpoint using Meteor’s DDP protocol.
We connected to the WebSocket endpoint for the DDP streamer service, and yes: It was truly possible to login into the exposed Rocket.Chat DDP service using any password. Once signed in, it was also possible to perform other operations such as connecting to arbitrary chat channels and listening on them for messages sent to those channels.
Here we received the message “HELLO WORLD!!!” while listening on the “General” channel.
The technical details of this issue are interesting (and scary as well). Rocket.Chat, primarily a TypeScript-based web application, uses bcrypt to store local user passwords. The bcrypt.compare function (used to compare a password against its stored hash) returns a Promise—a fact that is reflected in Rocket.Chat’s own validatePassword function, which returns Promise<boolean>:
export const validatePassword = (password: string, bcryptPassword: string): Promise<boolean> =>
bcrypt.compare(getPassword(password), bcryptPassword);However, when that function was used, the value of the Promise was not settled (e.g. by adding an await keyword in front of validatePassword):
const valid = user.services?.password?.bcrypt && validatePassword(password, user.services.password.bcrypt);
if (!valid) {
return false;
}This led to the result of validatePassword being ANDed with true. Since a returned Promise is always “truthy” speaking in JavaScript terms, the boolean valid subsequently was always true when a user had a bcrypt password set.
Severity aside, it’s fascinating that the LLM was able to pick up this rather subtle bug, follow it through multiple files, and arrive at the correct conclusion.
After running the taskflows over 40 repositories—mostly multi-user web applications—the LLM suggested 1,003 issues (potential vulnerabilities).
After the audit stage, 139 were marked as having vulnerabilities, meaning that the LLM decided they were exploitable After deduplicating the issues—duplicates happen because each repository is run a couple of times on average and the results are aggregated—we end up with 91 vulnerabilities, which we decided to manually inspect before reporting.
This data was collected using gpt-5.x as the model for code analysis and audit tasks.
Note that we have run the taskflows on more repositories since this data was collected, so this table does not represent all the data we’ve collected and all vulnerabilities we’ve reported.
| Issue category | All | Has vulnerability | Vulnerability rate |
|---|---|---|---|
| IDOR/Access control issue | 241 | 38 | 15.8% |
| XSS | 131 | 17 | 13.0% |
| CSRF | 110 | 17 | 15.5% |
| Authentication issue | 91 | 15 | 16.5% |
| Security misconfiguration | 75 | 13 | 17.3% |
| Path traversal | 61 | 10 | 16.4% |
| SSRF | 45 | 7 | 15.6% |
| Command injection | 39 | 5 | 12.8% |
| Remote code execution | 24 | 1 | 4.2% |
| Business logic issue | 24 | 6 | 25.0% |
| Template injection | 24 | 1 | 4.2% |
| File upload handling issues (excludes path traversal) | 18 | 2 | 11.1% |
| Insecure deserialization | 17 | 0 | 0.0% |
| Open redirect | 16 | 0 | 0.0% |
| SQL injection | 9 | 0 | 0.0% |
| Sensitive data exposure | 8 | 0 | 0.0% |
| XXE | 4 | 0 | 0.0% |
| Memory safety | 3 | 0 | 0.0% |
| Others | 66 | 7 | 10.6% |
If we divide the findings into two rough categories—logical issues (IDOR, authentication, security misconfiguration, business logic issues, sensitive data exposure) and technical issues (XSS, CSRF, path traversal, SSRF, command injection, remote code execution, template injection, file upload issues, insecure deserialization, open redirect, SQL injection, XXE, memory safety)—we get 439 logical issues and 501 technical issues. Although more technical issues were suggested, the difference isn’t significant because some broad categories (such as remote code execution and file upload issues) can also involve logical issues depending on the attacker scenario.
There are only three suggested issues that concern memory safety. This isn’t too surprising, given the majority of the repositories tested are written in memory-safe languages. But we also suspect that the current taskflows may not be very efficient in finding memory-safety issues, especially when comparing to other automated tools such as fuzzers. This is an interesting area that can be improved by creating more specific taskflows and making more tools, like fuzzers, available to the LLM.
This data led us to the following observations.
What stands out from the data is the 25% rate of “Business logic issue” and the large amount of IDOR issues. In fact, the total number of IDOR issues flagged as vulnerable is more than the next two categories combined (XSS and CSRF). Overall, we get the impression that the LLM does an excellent job of understanding the code space and following the control flow, while taking into account the access control model and intended usage of the application, which is more or less what we’d expect from LLMs that excel in tasks like code reviews. This also makes it great for finding logic bugs that are difficult to find with traditional tools.
Curiously, none of the false positives are what we’d consider to be hallucinations. All the reports, including the false positives, have sound evidence backing them up, and we were able to follow through the report to locate the endpoints and apply the suggested payload. Many of the false positives are due to more complex circumstances beyond what is available in the code, such as browser mitigations for XSS issues mentioned above or what we would consider as genuine mistakes that a human auditor is also likely to make. For example, when multiple layers of authentications are in place, the LLM could sometimes miss out some of the checks, resulting in false positives.
We have since tested more repositories with more vulnerabilities reported, but the ratio between vulnerabilities and repositories remains roughly the same.
To demonstrate the extensibility of taskflows and how extra information can be incorporated into the taskflows, we created a new taskflow to run after the audit stage, which incorporates our new-found knowledge to filter out low-severity vulnerabilities. We found that the taskflow can filter out roughly 50% of the low-severity vulnerabilities with a couple of borderline vulnerabilities that we reported also getting marked as low severity. The taskflow and the prompt can be adjusted to fit the user’s own preference, but for us, we’re happy to make it more inclusive so we don’t miss out on anything impactful.
The LLM performs well in threat modeling in general. During the experiment, we tested it on a number of applications with different threat models, such as desktop applications, multi-tenant web applications, applications that are designed to run code in sandbox environments (code injection by design), and reverse proxy applications (applications where SSRF-like behavior is intended). The taskflow is able to take into account the intended usage of these applications and make sound decisions. The taskflow struggles most with threat modelling of desktop applications, as it is often unclear whether other processes running on the user’s desktop should be considered trusted or not.
We’ve also observed some remarkable reasoning by the LLM that excludes issues with no privilege gains. For example, in one case, the LLM noticed that while there are inconsistencies in access control, the issue does not give the attacker any advantages over a manual copy and paste action:
Security impact assessment:
A user possessing only read access to a document (no update rights) can duplicate it provided they also have updateDocument rights on the destination collection. This allows creation of a new editable copy of content they could already read. This does NOT grant additional access to other documents nor bypass protections on the original; any user with read access could manually copy-paste the content into a new document they are permitted to create (creation generally allowed for non-guest, non-viewer members in ReadWrite collections per createDocument collection policy)We’ve also seen some more sophisticated techniques that were used in the reasoning. For example, in one application that is running scripts in a sandboxed nodejs environment, the LLM suggested the following technique to escape the sandbox:
In Node’s vm, passing any outer-realm function into a contextified sandbox leaks that function’s outer-realm Function constructor through the `constructor` property. From inside the sandbox:
const F = console.log.constructor; // outer-realm Function
const hostProcess = F('return process')(); // host process object
// Bypass module allowlist via host dynamic import
const cp = await F('return import("node:child_process")')();
const out = cp.execSync('id').toString();
return [{ json: { out } }];
The presence of host functions (console.log, timers, require, RPC methods) is sufficient to obtain the host Function constructor and escape the sandbox. The allowlist in require-resolver is bypassed by constructing host-realm functions and using dynamic import of built-in modules (e.g., node:child_process), which does not go through the sandbox’s custom require.While the result turns out to be a false positive due to other mitigating factors, it demonstrates the LLM’s technical knowledge.
The taskflows we used to find these vulnerabilities are open source and easy to run on your own project, so we hope you’ll give them a try! We also want to encourage you to write your own taskflows. The results showcased in this blog post are just small examples of what’s possible. There are other types of vulnerabilities to find, and there are other security-related problems, like triaging SAST results or building development setups, which we think taskflows can help with. Let us know what you’re building by starting a discussion on our repo!
The post How to scan for vulnerabilities with GitHub Security Lab’s open source AI-powered framework appeared first on The GitHub Blog.
The fourth quarter of 2025 went down as one of the most intense periods on record for high-profile, critical vulnerability disclosures, hitting popular libraries and mainstream applications. Several of these vulnerabilities were picked up by attackers and exploited in the wild almost immediately.
In this report, we dive into the statistics on published vulnerabilities and exploits, as well as the known vulnerabilities leveraged with popular C2 frameworks throughout Q4 2025.
This section contains statistics on registered vulnerabilities. The data is taken from cve.org.
Let’s take a look at the number of registered CVEs for each month over the last five years, up to and including the end of 2025. As predicted in our last report, Q4 saw a higher number of registered vulnerabilities than the same period in 2024, and the year-end totals also cleared the bar set the previous year.
Total published vulnerabilities by month from 2021 through 2025 (download)
Now, let’s look at the number of new critical vulnerabilities (CVSS > 8.9) for that same period.
Total number of published critical vulnerabilities by month from 2021 to 2025< (download)
The graph shows that the volume of critical vulnerabilities remains quite substantial; however, in the second half of the year, we saw those numbers dip back down to levels seen in 2023. This was due to vulnerability churn: a handful of published security issues were revoked. The widespread adoption of secure development practices and the move toward safer languages also pushed those numbers down, though even that couldn’t stop the overall flood of vulnerabilities.
This section contains statistics on the use of exploits in Q4 2025. The data is based on open sources and our telemetry.
In Q4 2025, the most prevalent exploits targeted the exact same vulnerabilities that dominated the threat landscape throughout the rest of the year. These were exploits targeting Microsoft Office products with unpatched security flaws.
Kaspersky solutions detected the most exploits on the Windows platform for the following vulnerabilities:
The list has remained unchanged for years.
We also see that attackers continue to adapt exploits for directory traversal vulnerabilities (CWE-35) when unpacking archives in WinRAR. They are being heavily leveraged to gain initial access via malicious archives on the Windows operating system:
As in the previous quarter, we see a rise in the use of archiver exploits, with fresh vulnerabilities increasingly appearing in attacks.
Below are the exploit detection trends for Windows users over the last two years.
Dynamics of the number of Windows users encountering exploits, Q1 2024 – Q4 2025. The number of users who encountered exploits in Q1 2024 is taken as 100% (download)
The vulnerabilities listed here can be used to gain initial access to a vulnerable system. This highlights the critical importance of timely security updates for all affected software.
On Linux-based devices, the most frequently detected exploits targeted the following vulnerabilities:
Dynamics of the number of Linux users encountering exploits, Q1 2024 – Q4 2025. The number of users who encountered exploits in Q1 2024 is taken as 100% (download)
We are seeing a massive surge in Linux-based exploit attempts: in Q4, the number of affected users doubled compared to Q3. Our statistics show that the final quarter of the year accounted for more than half of all Linux exploit attacks recorded for the entire year. This surge is primarily driven by the rapidly growing number of Linux-based consumer devices. This trend naturally attracts the attention of threat actors, making the installation of security patches critically important.
The distribution of published exploits by software type in Q4 2025 largely mirrors the patterns observed in the previous quarter. The majority of exploits we investigate through our monitoring of public research, news, and PoCs continue to target vulnerabilities within operating systems.
Distribution of published exploits by platform, Q1 2025 (download)
Distribution of published exploits by platform, Q2 2025 (download)
Distribution of published exploits by platform, Q3 2025 (download)
Distribution of published exploits by platform, Q4 2025 (download)
In Q4 2025, no public exploits for Microsoft Office products emerged; the bulk of the vulnerabilities were issues discovered in system components. When calculating our statistics, we placed these in the OS category.
We analyzed which vulnerabilities were utilized in APT attacks during Q4 2025. The following rankings draw on our telemetry, research, and open-source data.
TOP 10 vulnerabilities exploited in APT attacks, Q4 2025 (download)
In Q4 2025, APT attacks most frequently exploited fresh vulnerabilities published within the last six months. We believe that these CVEs will remain favorites among attackers for a long time, as fixing them may require significant structural changes to the vulnerable applications or the user’s system. Often, replacing or updating the affected components requires a significant amount of resources. Consequently, the probability of an attack through such vulnerabilities may persist. Some of these new vulnerabilities are likely to become frequent tools for lateral movement within user infrastructure, as the corresponding security flaws have been discovered in network services that are accessible without authentication. This heavy exploitation of very recently registered vulnerabilities highlights the ability of threat actors to rapidly implement new techniques and adapt old ones for their attacks. Therefore, we strongly recommend applying the security patches provided by vendors.
In this section, we will look at the most popular C2 frameworks used by threat actors and analyze the vulnerabilities whose exploits interacted with C2 agents in APT attacks.
The chart below shows the frequency of known C2 framework usage in attacks against users during Q4 2025, according to open sources.
TOP 10 C2 frameworks used by APTs to compromise user systems in Q4 2025 (download)
Despite the significant footprints it can leave when used in its default configuration, Sliver continues to hold the top spot among the most common C2 frameworks in our Q4 2025 analysis. Mythic and Havoc were second and third, respectively. After reviewing open sources and analyzing malicious C2 agent samples that contained exploits, we found that the following vulnerabilities were used in APT attacks involving the C2 frameworks mentioned above:
The set of vulnerabilities described above suggests that attackers have been using them for initial access and early-stage maneuvers in vulnerable systems to create a springboard for deploying a C2 agent. The list of vulnerabilities includes both zero-days and well-known, established security issues.
This section highlights the most noteworthy vulnerabilities that were publicly disclosed in Q4 2025 and have a publicly available description.
We typically describe vulnerabilities affecting a specific application. CVE-2025-55182 stood out as an exception, as it was discovered in React, a library primarily used for building web applications. This means that exploiting the vulnerability could potentially disrupt a vast number of applications that rely on the library. The vulnerability itself lies in the interaction mechanism between the client and server components, which is built on sending serialized objects. If an attacker sends serialized data containing malicious functionality, they can execute JavaScript commands directly on the server, bypassing all client-side request validation. Technical details about this vulnerability and an example of how Kaspersky solutions detect it can be found in our article.
This vulnerability represents a data-handling flaw that occurs when retrieving information from a remote server: when executing the curl or Invoke-WebRequest command, Windows launches Internet Explorer in the background. This can lead to a cross-site scripting (XSS) attack.
This vulnerability reinforces the trend of exploiting security flaws found in file archivers. The core of CVE-2025-11001 lies in the incorrect handling of symbolic links. An attacker can craft an archive so that when it is extracted into an arbitrary directory, its contents end up in the location pointed to by a symbolic link. The likelihood of exploiting this vulnerability is significantly reduced because utilizing such functionality requires the user opening the archive to possess system administrator privileges.
This vulnerability was associated with a wave of misleading news reports claiming it was being used in real-world attacks against end users. This misconception stemmed from an error in the security bulletin.
The year 2025 saw a surge in high-profile vulnerabilities, several of which were significant enough to earn a unique nickname. This was the case with CVE-2025-49844, also known as RediShell, which was unveiled during a hacking competition. This vulnerability is a use-after-free issue related to how the load command functions within Lua interpreter scripts. To execute the attack, an attacker needs to prepare a malicious script and load it into the interpreter.
As with any named vulnerability, RediShell was immediately weaponized by threat actors and spammers, albeit in a somewhat unconventional manner. Because technical details were initially scarce following its disclosure, the internet was flooded with fake PoC exploits and scanners claiming to test for the vulnerability. In the best-case scenario, these tools were non-functional; in the worst, they infected the system. Notably, these fraudulent projects were frequently generated using LLMs. They followed a standardized template and often cross-referenced source code from other identical fake repositories.
Driver vulnerabilities are often discovered in legitimate third-party applications that have been part of the official OS distribution for a long time. Thus, CVE-2025-24990 has existed within code shipped by Microsoft throughout nearly the entire history of Windows. The vulnerable driver has been shipped since at least Windows 7 as a third-party driver for Agere Modem. According to Microsoft, this driver is no longer supported and, following the discovery of the flaw, was removed from the OS distribution entirely.
The vulnerability itself is straightforward: insecure handling of IOCTL codes leading to a null pointer dereference. Successful exploitation can lead to arbitrary command execution or a system crash resulting in a blue screen of death (BSOD) on modern systems.
CVE-2025-59287 represents a textbook case of insecure deserialization. Exploitation is possible without any form of authentication; due to its ease of use, this vulnerability rapidly gained traction among threat actors. Technical details and detection methodologies for our product suite have been covered in our previous advisories.
In Q4 2025, the rate of vulnerability registration has shown no signs of slowing down. Consequently, consistent monitoring and the timely application of security patches have become more critical than ever. To ensure resilient defense, it is vital to regularly assess and remediate known vulnerabilities while implementing technology designed to mitigate the impact of potential exploits.
Continuous monitoring of infrastructure, including the network perimeter, allows for the timely identification of threats and prevents them from escalating. Effective security also demands tracking the current threat landscape and applying preventative measures to minimize risks associated with system flaws. Kaspersky Next serves as a reliable partner in this process, providing real-time identification and detailed mapping of vulnerabilities within the environment.
Securing the workplace remains a top priority. Protecting corporate devices requires the adoption of solutions capable of blocking malware and preventing it from spreading. Beyond basic measures, organizations should implement adaptive systems that allow for the rapid deployment of security updates and the automation of patch management workflows.
Steady cadence of Android zero-days marked as exploited in the wild makes its path to 2026. Following CVE-2025-48633 and CVE-2025-48572, two Android Framework bugs Google flagged for active exploitation, defenders keep seeing the same familiar pattern. Mobile-chain vulnerabilities can move fast from limited attacks to real enterprise risk when patching lags.
In March 2026, that storyline continues with CVE-2026-21385, a high-severity vulnerability in a Qualcomm Graphics subcomponent. Google’s Android Security Bulletin warns that there are indications that CVE-2026-21385 may be under limited, targeted exploitation.
As of early 2026, data indicates that 2025 was a record-breaking year for cybersecurity vulnerabilities, with Android remaining a primary target for mobile threats. The first half of 2025 saw Android malware rise by 151%, according to Malwarebytes. More vulnerabilities and more mobile malware together shrink the margin for delayed patching, especially when attackers focus on high-value targets.
Sign up for SOC Prime Platform, aggregating the world’s largest detection intelligence dataset and offering a complete product suite that empowers SOC teams to seamlessly handle everything from detection to simulation. The Platform features a large collection of rules addressing critical exploits. Just press Explore Detections and immediately drill down to a relevant detection stack filtered by “CVE” tag.
All rules are mapped to the latest MITRE ATT&CK® framework and are compatible with multiple SIEM, EDR, and Data Lake platforms. Additionally, each rule comes packed with broad metadata, including CTI references, attack flows, audit configurations, and more.
Cyber defenders can also use Uncoder AI to streamline their detection engineering routine. Turn raw threat reports into actionable behavior rules, test your detection logic, map out attack flows, turn IOCs into hunting queries, or instantly translate detection code across languages backed by the power of AI and deep cybersecurity expertise behind every step.
Google has recently issued its March 2026 Android Security Bulletin, addressing 129 security vulnerabilities across multiple components, including the Framework, System, and hardware-related areas such as Qualcomm drivers. Google confirmed that one of the fixed flaws, CVE-2026-21385 in a Qualcomm display and graphics component, has signals of real-world abuse.
While Google did not provide further details about the attacks, Qualcomm described the bug in its own advisory as an integer overflow or wraparound in the Graphics subcomponent that can be exploited by a local attacker to trigger memory corruption. The vendor also notes that CVE-2026-21385 affects 235 Qualcomm chipsets, expanding exposure across device models and OEM update timelines.
Qualcomm stated it was alerted to the vulnerability on December 18 by Google’s Android Security team and notified customers on February 2. CVE-2026-21385 has also been added to CISA’s Known Exploited Vulnerabilities catalog as of March 3, 2026, requiring Federal Civilian Executive Branch agencies to apply fixes by March 24, 2026.
Fixes for CVE-2026-21385 were included in the second part of the March 2026 Android updates, delivered to devices as the 2026-03-05 security patch level. This patch level addresses over 60 vulnerabilities across Kernel and third-party components, including Arm, Imagination Technologies, MediaTek, Unisoc, and Qualcomm.
The first part of the March updates, rolling out as the 2026-03-01 security patch level, contains fixes for over 50 vulnerabilities in the Framework and System components, including critical issues that could lead to remote code execution and denial of service.
Devices running a security level of 2026-03-05 or higher contain patches for all vulnerabilities listed in the March 2026 bulletin. In enterprise environments, it is important to apply the latest security updates provided for each device model, validate patch levels across managed devices, and prioritize remediation for high-risk users where update rollout is slow or device diversity complicates coverage.
What is CVE-2026-21385 and how does it work?
CVE-2026-21385 is a high-severity vulnerability in a Qualcomm Graphics subcomponent, described as an integer overflow or wraparound that can lead to memory corruption.
When was CVE-2026-21385 first discovered?
Qualcomm states it was alerted to the vulnerability on December 18, 2025, by Google’s Android Security team. Qualcomm then notified customers on February 2, 2026, and Google addressed it in the March 2026 Android Security Bulletin.
What is the impact of CVE-2026-21385 on organizations and users?
Because CVE-2026-21385 is a memory corruption flaw and is flagged for limited, targeted exploitation, it can create a path to device compromise on unpatched Android systems. For organizations, this can translate into a higher risk of credential theft, access to corporate apps and data on the device, and follow-on intrusion activity if the compromised user has privileged access. For individual users, exploitation can mean loss of device integrity and exposure of sensitive personal or work information until the device is updated.
Can CVE-2026-21385 still affect me in 2026?
Yes. Devices that have not received the March 2026 Android Security Bulletin updates, or are running a security patch level below 2026-03-05, may remain exposed.
How can you protect from CVE-2026-21385?
Update Android devices to the latest available security release for your device model and verify the security patch level is 2026-03-05 or higher.
The post CVE-2026-21385: Google Patches Qualcomm Zero-Day Exploited in Targeted Android Attacks appeared first on SOC Prime.
New day, new vulnerability in the spotlight. We’re once again seeing how quickly weaponized flaws in widely deployed platforms turn into real operational risk. Coverage of maximum-severity Cisco bugs (CVE-2025-20393, CVE-2026-20045), as well as the Dell RecoverPoint zero-day CVE-2026-22769, shows that attackers are increasingly prioritizing edge-facing infrastructure that quietly controls traffic flows, identity paths, and service availability.
That story continues with CVE-2026-20127, a critical authentication bypass affecting Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage). Cisco Talos reports the flaw is being actively exploited and tracks the activity as UAT-8616, assessing with high confidence that a highly sophisticated threat actor has been exploiting it since at least 2023.
GreyNoise’s 2026 State of the Edge Report shows why confirmed exploitation in edge-facing network control systems demands urgent action. In H2 2025, GreyNoise observed 2.97 billion malicious sessions from 3.8 million unique source IPs targeting internet-facing infrastructure, underscoring how quickly exploitation traffic scales once attackers focus on an exposed surface.
Register for SOC Prime’s AI-Native Detection Intelligence Platform, backed by cutting-edge technologies and top cybersecurity expertise to outscale cyber threats and build a resilient cybersecurity posture. Click Explore Detections to access the comprehensive collection of SOC content for vulnerability exploit detection, filtered by the custom “CVE” tag.
Detections from the dedicated rule set can be applied across multiple SIEM, EDR, and Data Lake platforms and are mapped to the latest MITRE ATT&CK® framework v18.1. Security teams can also leverage Uncoder AI to accelerate detection engineering end-to-end by generating rules directly from live threat reports, refining and validating detection logic, auto-visualizing Attack Flows, converting IOCs into custom hunting queries, and instantly translating detection code across diverse language formats.
Cisco Talos describes CVE-2026-20127 as an issue that allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges on the affected system by sending crafted requests. Cisco’s public advisory ties the root cause to a peering authentication mechanism that is not working properly.
A successful exploit can let an attacker log in to a Catalyst SD-WAN Controller as an internal, high-privileged, non-root account, then use that access to reach NETCONF and manipulate SD-WAN fabric configuration. That kind of control-plane access is exactly what makes SD-WAN incidents so disruptive, as the attackers are in a position to shape how the network behaves.
Multiple government and partner advisories describe a common post-exploitation path. After exploiting CVE-2026-20127, actors have been observed adding a rogue peer and then moving toward root access and long-term persistence within SD-WAN environments. Talos adds that intelligence partners observed escalation involving a software version downgrade, exploitation of CVE-2022-20775, and then restoration back to the original version, a sequence that can complicate detection if teams only validate the “current” running version.
Because exploitation is confirmed and impacts systems used to manage connectivity across sites and clouds, CISA issued Emergency Directive 26-03 for U.S. federal civilian agencies, with an accelerated requirement to complete required actions by 5:00 PM (ET) on February 27, 2026. FedRAMP also relayed the same urgency to cloud providers supporting federal environments.
According to Cisco’s advisory, CVE-2026-20127 affects Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager regardless of device configuration, across these deployment types:
Cisco also notes there are no workarounds that fully address this vulnerability. The durable fix is upgrading to a patched release, with the exact fixed versions listed in Cisco’s advisory under the Fixed Software section.
Users are urged to start by prioritizing patching as the only complete remediation and verify the fixes are actually in place across every in-scope Catalyst SD-WAN Controller and Manager instance.
Next, to reduce the attack surface while users patch and validate, CISA and the UK NCSC guidance emphasize restricting network exposure, placing SD-WAN control components behind firewalls, and isolating management interfaces from untrusted networks. In parallel, SD-WAN logs should be forwarded to external systems so attackers cannot easily erase local evidence.
Finally, it is better to treat this as both a patching and an investigation event. Cisco recommends auditing /var/log/auth.log for entries like “Accepted publickey for vmanage-admin” coming from unknown or unauthorized IP addresses, then comparing those source IPs against the configured System IPs listed in the Manager UI (WebUI > Devices > System IP). If users suspect compromise, Cisco advises engaging Cisco TAC and collecting the admin-tech output (for example, via request admin-tech) so it can be reviewed.
Because the reported activity can include version downgrade and unexpected reboot behavior as part of the post-compromise chain, public guidance also recommends checking the following logs for downgrade/reboot indicators:
/var/volatile/log/vdebug/var/log/tmplog/vdebug/var/volatile/log/sw_script_synccdb.logTo strengthen coverage beyond patching and mitigation steps, rely on the SOC Prime Platform to reach the world’s largest detection intelligence dataset, adopt an end-to-end pipeline that spans detection through simulation while streamlining security operations and speeding up response workflows, reduce engineering overhead, and stay ahead of emerging threats.
What is CVE-2026-20127 and how does it work?
CVE-2026-20127 is a critical authentication bypass in Cisco Catalyst SD-WAN Controller and SD-WAN Manager that lets an unauthenticated attacker send crafted requests and gain administrative access due to a broken peering authentication check.
When was CVE-2026-20127 first discovered?
Cisco disclosed it in late February 2026, while Cisco Talos reports evidence that CVE-2026-20127 has already been exploited in real attacks since at least 2023.
What risks does CVE-2026-20127 pose to systems?
It can hand attackers control-plane access, enabling them to add a rogue peer, change SD-WAN fabric configuration via NETCONF, and move toward persistence and root-level control, including downgrade-and-restore activity tied to chaining with CVE-2022-20775.
Can CVE-2026-20127 still affect me in 2026?
Yes. If you have not patched, or you patched without checking for compromise, you may still be at risk.
How can you protect from CVE-2026-20127?
Upgrade to Cisco’s fixed releases, restrict exposure of SD-WAN control components, and review logs for signs of suspicious access; involve Cisco TAC if anything looks abnormal.
The post CVE-2026-20127: Cisco SD-WAN Zero-Day Exploited Since 2023 appeared first on SOC Prime.
