Apache has patched CVE-2026-23918, a critical flaw in Apache HTTP Server’s HTTP/2 handling that Apache describes as a “double free and possible RCE.” The issue affects Apache HTTP Server 2.4.66 and was fixed in 2.4.67, released on May 4, 2026.

The CVE-2026-23918 vulnerability matters because it can be abused remotely and without authentication. Public reporting says the bug can cause a denial-of-service condition and, under certain conditions, may also open a path to remote code execution, making it one of the most serious issues addressed in Apache’s latest security release.

Apache credits Bartlomiej Dmitruk of striga.ai and Stanislaw Strzalkowski of isec.pl with reporting the flaw. Apache’s own vulnerability page shows it was reported to the security team on December 10, 2025, fixed in source on December 11, 2025, and shipped to users in the 2.4.67 release months later.

CVE-2026-23918 analysis

According to Apache and researcher commentary cited by The Hacker News, the bug is a double-free in mod_http2, specifically in the stream cleanup path. It can be triggered when a client sends an HTTP/2 HEADERS frame and then immediately sends RST_STREAM with a non-zero error code before the stream is fully registered by the multiplexer.

That sequence can cause two callbacks to run in a way that pushes the same stream object into the cleanup array twice. When Apache later destroys the stream entries, memory that has already been freed gets released again. In practical terms, the vulnerability in CVE-2026-23918 is a memory-management flaw that can crash worker processes and, in the right environment, be shaped into code execution.

The denial-of-service path appears to be the easiest outcome. The researchers told The Hacker News that one TCP connection and two HTTP/2 frames are enough to crash a worker in default deployments that use mod_http2 with a multi-threaded MPM. They also noted that MPM prefork is not affected, while the possible RCE path depends on an APR configuration using the mmap allocator, which is said to be the default on Debian-derived systems and in the official httpd Docker image.

As for exploitation maturity, public reporting says the researchers built a working CVE-2026-23918 poc for x86_64 in lab conditions. They also said practical exploitation still needs helpful conditions such as an information leak and favorable memory reuse, so code execution is more demanding than simple service disruption.

At this stage, public details for CVE-2026-23918 point much more clearly to process crashes and worker instability than to widely reproducible RCE in the field. There are also no vendor-published CVE-2026-23918 iocs, so defenders should focus on version exposure, unexpected worker crashes, and suspicious HTTP/2 reset patterns rather than on a stable signature set.

Explore Detections

CVE-2026-23918 Mitigation

The core fix is to upgrade Apache HTTP Server from 2.4.66 to 2.4.67. Apache’s security advisory explicitly recommends moving to the patched version, and SecurityWeek notes that the release fixes 11 vulnerabilities, including this critical HTTP/2 issue.

For immediate triage, defenders should identify internet-facing systems where mod_http2 is enabled and where threaded MPMs are in use. That is the most practical way to detect CVE-2026-23918 exposure because the attack hinges on HTTP/2 request handling, not on a dropped malware artifact or traditional post-exploitation beacon.

If emergency patching is delayed, reducing exposure to HTTP/2 traffic may help shrink the attack surface until updates are applied. The CVE-2026-23918 payload described publicly is not a conventional file or binary but a crafted sequence of HTTP/2 frames designed to force the faulty cleanup path, so network-facing Apache instances should be prioritized first.

From a risk perspective, CVE-2026-23918 affects organizations that rely on Apache HTTP Server 2.4.66 for public web workloads, especially where HTTP/2 is enabled by default or broadly deployed for performance reasons. That includes standard Linux-based web servers as well as containerized deployments using the official Apache image.

The post CVE-2026-23918: Critical Apache HTTP/2 Flaw Can Trigger DoS and Possible RCE appeared first on SOC Prime.

Edge security appliances remain high-value targets, especially when a flaw can be exploited before a patch is widely available. The CVE-2026-0300 vulnerability is a critical buffer overflow in the User-ID Authentication Portal, also known as Captive Portal, in Palo Alto Networks PAN-OS. Palo Alto rates it 9.3/10 when the portal is exposed to the internet or other untrusted networks, and says an unauthenticated attacker can execute arbitrary code with root privileges on affected PA-Series and VM-Series firewalls by sending specially crafted packets.

For teams beginning CVE-2026-0300 analysis, the most important details for CVE-2026-0300 are the exposure conditions: the issue applies only when User-ID Authentication Portal is enabled, and Palo Alto says risk is greatly reduced when access is limited to trusted internal IP addresses. The company also says limited exploitation has already been observed against portals exposed to untrusted IP space or the public internet.

In practice, CVE-2026-0300 affects only PA-Series and VM-Series firewalls configured to use the User-ID Authentication Portal. Prisma Access, Cloud NGFW, and Panorama are not impacted, which makes configuration review as important as version review when triaging exposure.

CVE-2026-0300 analysis

The vulnerability in CVE-2026-0300 is a buffer overflow in PAN-OS’s User-ID Authentication Portal service. According to Palo Alto, exploitation does not require credentials or user interaction, and the attacker’s goal is remote code execution as root through specially crafted network packets. SecurityWeek likewise describes the flaw as a zero-day used to hack some firewall models, underscoring that this is not a theoretical issue.

The publicly described CVE-2026-0300 payload is not a malware file dropped to disk but a malicious packet sequence sent to the Captive Portal component. Neither the vendor advisory nor the cited media reports includes a public CVE-2026-0300 poc, but the confirmed in-the-wild exploitation means defenders should assume capable threat actors already understand the triggering conditions well enough to weaponize them.

From a risk standpoint, CVE-2026-0300 detection should focus on externally reachable Authentication Portal instances and signs of attempted access to that service from untrusted networks. Palo Alto’s advisory does not publish packet-level CVE-2026-0300 iocs, so defenders are better served by identifying exposed portal configurations, narrowing allowed source IP ranges, and prioritizing internet-facing firewalls for remediation.

Explore Detections

CVE-2026-0300 Mitigation

Effective CVE-2026-0300 mitigation starts with reducing exposure before fixes land. Palo Alto recommends either restricting User-ID Authentication Portal access to trusted zones/internal IP addresses or disabling the portal entirely if it is not required. That advice is especially important because, at disclosure, the flaw was still unpatched, with the first wave of fixes expected on May 13, 2026 and additional releases on May 28, 2026 across supported 12.1, 11.2, 11.1, and 10.2 trains.

To Detect CVE-2026-0300 exposure in your environment, verify whether Device > User Identification > Authentication Portal Settings has the portal enabled and determine whether it is reachable from the internet or any untrusted network segment. Palo Alto’s advisory makes clear that customers following this hardening model are at greatly reduced risk compared with deployments that leave the service publicly accessible.

Organizations should also map affected firewalls to Palo Alto’s target fixed versions and prepare an upgrade plan as soon as the relevant release becomes available. Because limited exploitation is already underway, this is a case where configuration hardening and emergency change control should happen in parallel rather than waiting for normal maintenance windows.

The post CVE-2026-0300: Palo Alto PAN-OS Zero-Day Enables Root RCE on Exposed Firewalls appeared first on SOC Prime.

A newly disclosed CVE-2026-41940 vulnerability in cPanel & WHM has put internet-facing hosting infrastructure under urgent scrutiny. The flaw carries a CVSS score of 9.8 and can let an unauthenticated remote attacker bypass authentication and gain administrative access, while cPanel’s advisory says the issue affects cPanel software, including DNSOnly, across all versions after 11.40.

For defenders, CVE-2026-41940 detection should focus on exposed control panel instances, emergency patch validation, and session-file triage rather than malware hunting. Hosting provider KnownHost said the flaw was being actively exploited in the wild, and that a public technical analysis plus exploit code had already been released by watchTowr, raising the likelihood of broader opportunistic abuse.

The business risk is substantial because successful exploitation can give attackers control over the cPanel host, its configurations and databases, and the websites it manages. A simple Shodan query returned roughly 1.5 million exposed cPanel instances, underscoring how much attack surface may be available to both targeted and mass scanning activity.

CVE-2026-41940 analysis

The bug is describes as an authentication bypass rooted in CRLF injection during the login and session-loading process in cPanel & WHM. According to its technical overview, cpsrvd writes a new session file to disk before authentication completes, and an attacker can manipulate the whostmgrsession cookie so attacker-controlled values avoid the expected encryption path and are written into the session file unsanitized.

In practical terms, the vulnerability in CVE-2026-41940 lets an attacker inject arbitrary properties such as user=root into a session file, then trigger a reload so the application treats the session as administrative. That is why this issue is especially dangerous for shared hosting environments and server operators: it is not merely a login bug, but a route to privileged control over the management plane itself.

Unlike a malware dropper, the CVE-2026-41940 payload is a crafted authentication request that abuses newline injection and malformed session values to poison pre-auth session data. A public CVE-2026-41940 poc was already available through third-party research.

Official details for CVE-2026-41940 are broader than the exploit mechanics alone. cPanel says the issue affects cPanel software including DNSOnly, while patched builds were issued for 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, and 11.136.0.5, alongside WP Squared 136.1.7. TheCyberExpress also highlighted that administrators must verify the installed version and restart cpsrvd after updating.

Just as importantly, CVE-2026-41940 affects not only directly exposed cPanel & WHM systems but also operational workflows that rely on pinned builds or disabled automatic updates. That matters because cPanel warned that such servers will not auto-update and must be manually remediated as a priority, while unsupported versions may also remain exposed until organizations move to supported release tracks.

Explore Detections

CVE-2026-41940 Mitigation

The vendor’s primary guidance is straightforward: update immediately to one of the fixed versions using /scripts/upcp –force, confirm the installed build with /usr/local/cpanel/cpanel -V, and restart the service with /scripts/restartsrv_cpsrvd. cPanel also says administrators should manually identify systems where updates are disabled or version pinning prevents automatic remediation.

When patching cannot happen right away, cPanel recommends temporary containment steps that include blocking inbound traffic on ports 2083, 2087, 2095, and 2096 at the firewall or stopping cpsrvd and cpdavd. TheCyberExpress echoed the same short-term advice and noted that some providers restricted panel access while broader patch rollout was underway.

To detect CVE-2026-41940, defenders should use the vendor’s filesystem-based detection script and review suspicious entries under /var/cpanel/sessions. cPanel’s script looks for session artifacts such as token_denied appearing together with cp_security_token, authenticated attributes inside pre-auth sessions, suspicious tfa_verified states, and malformed multi-line password values. Those published checks effectively act as CVE-2026-41940 iocs for post-exploitation triage.

If the script flags likely compromise, cPanel says defenders should purge affected sessions, force password resets for root and all WHM users, audit /var/log/wtmp and WHM access logs, and look for persistence such as cron entries, SSH keys, or backdoors. In other words, CVE-2026-41940 mitigation should be handled as both patching and incident response, not just a routine version upgrade. When patching cannot happen right away, cPanel recommends temporary containment steps that include blocking inbound traffic on ports 2083, 2087, 2095, 2096 and http ports 2082, 2086 at the firewall.

The post CVE-2026-41940: Critical cPanel & WHM Authentication Bypass Exposes Hosting Servers to Admin Takeover appeared first on SOC Prime.

Apple has released security updates to address a Notification Services issue in iOS and iPadOS that could cause alerts marked for deletion to remain stored on a device. The fix was delivered in iOS 26.4.2 / iPadOS 26.4.2 and iOS 18.7.8 / iPadOS 18.7.8, where Apple says the problem was resolved through improved data redaction.

The issue drew attention because it was patched outside Apple’s normal release cycle and was publicly linked to concerns that deleted notification content could remain recoverable on affected devices. Based on public reporting, the flaw may have allowed sensitive message previews to persist in internal notification storage longer than users would reasonably expect.

For defenders and privacy-focused users, the key concern is not traditional remote exploitation but unintended data retention. At the time of disclosure, Apple did not publish exploit samples, telemetry artifacts, or a public proof-of-concept, leaving many technical details for CVE-2026-28950 limited to the vendor advisory and media reporting.

CVE-2026-28950 analysis

Apple describes the issue as a logging-related flaw in Notification Services that allowed notifications intended for deletion to be unexpectedly retained on the device. In practice, this means content visible in alerts, such as message previews or other app-generated text, may continue to exist in local storage after the user assumes it has been removed.

Public reporting connected the patch to earlier forensic concerns involving message content recovered from notification storage on iPhones. While Apple did not explicitly confirm those reports as the direct trigger for the update, the description of the flaw closely aligns with the broader privacy risk described in public coverage.

Explore Detections

The main security impact is on confidentiality rather than integrity or availability. The problem is especially relevant in environments where lock-screen notifications or mobile message previews may expose regulated, operational, or otherwise sensitive information. From that standpoint, the CVE-2026-28950 vulnerability is best understood as a privacy and data-remanence issue rather than a conventional code-execution bug.

Public reporting also leaves several gaps. Apple did not assign a public CVSS score in the cited coverage, and there are no published network indicators or forensic signatures that would support classic threat hunting. As a result, organizations should focus on version validation and privacy controls rather than looking for a known CVE-2026-28950 payload or a fixed list of CVE-2026-28950 IOCs.

CVE-2026-28950 Mitigation

The primary response is to install Apple’s fixed releases across affected iPhone and iPad fleets. Security teams should verify that supported devices have moved to the patched versions and prioritize users who regularly handle confidential communications, executive discussions, legal material, or regulated data on mobile devices.

An additional defense-in-depth step is to reduce the amount of sensitive information shown in notifications. Public reporting notes that Signal users, for example, can limit what appears in alerts by changing notification content settings to display less message text. While that does not replace patching, it can reduce exposure where private data might otherwise remain accessible in notification storage.

From an operational perspective, the most practical path is simple: inventory devices, confirm version compliance, and review notification-preview policies for high-risk user groups. This is a more realistic protection strategy than trying to Detect CVE-2026-28950 through conventional threat indicators, because the issue centers on retained local data rather than a well-documented exploit chain.

Additionally, by leveraging SOC Prime’s AI-Native Detection Intelligence Platform backed by top cyber defense expertise, global organizations can adopt a resilient security posture and transform their SOC to always stay ahead of emerging threats tied to zero-day exploitation.

The post CVE-2026-28950: Apple Fixes iOS Flaw That Retained Deleted Notification Data appeared first on SOC Prime.

Microsoft has released out-of-band updates for CVE-2026-40372, a high-impact ASP.NET Core privilege-escalation vulnerability tied to the platform’s Data Protection cryptographic APIs. Public reporting says the flaw carries a CVSS score of 9.1 and could allow an unauthenticated attacker to forge authentication material and ultimately obtain SYSTEM privileges on affected systems.

The issue stands out not only because of its severity, but also because it was serious enough to trigger an emergency release outside the normal patch cycle. BleepingComputer reports Microsoft investigated after customers saw decryption failures following the .NET 10.0.6 update, while The Hacker News notes the bug was reported by an anonymous researcher and fixed in ASP.NET Core 10.0.7.

CVE-2026-40372 Analysis

According to Microsoft details cited by both publications, CVE-2026-40372 stems from improper verification of a cryptographic signature in ASP.NET Core. More specifically, the affected Microsoft.AspNetCore.DataProtection 10.0.0–10.0.6 NuGet packages could compute the HMAC validation tag over the wrong bytes of the payload and then discard the computed hash in some cases. That breaks the trust model behind protected application data and opens the door to forged payloads that pass authenticity checks.

The attack surface is narrower than a generic “all ASP.NET Core apps are vulnerable” headline might suggest. The Hacker News says successful exploitation depends on three conditions: the application must use Microsoft.AspNetCore.DataProtection 10.0.6 from NuGet either directly or through a dependent package, the NuGet copy must actually be loaded at runtime, and the application must run on Linux, macOS, or another non-Windows operating system.

Explore Detections

If those conditions are met, the impact can be severe. The affected validation routine may let an attacker forge payloads and decrypt previously protected values stored in items such as authentication cookies, antiforgery tokens, TempData, and OpenID Connect state. Microsoft also says exploitation could enable file disclosure and data modification, although it does not affect availability.

The most dangerous enterprise scenario is privilege escalation through trust abuse rather than noisy code execution. If an attacker can authenticate as a privileged user during the vulnerable window, the application may issue legitimately signed follow-on artifacts to the attacker, including refreshed sessions, API keys, or password-reset links. Those artifacts can remain valid even after the package is upgraded unless defenders also rotate the Data Protection key ring.

CVE-2026-40372 Mitigation

The primary fix is straightforward: update Microsoft.AspNetCore.DataProtection to version 10.0.7 and redeploy affected applications. Microsoft’s guidance, as quoted by BleepingComputer, is to apply the new package as soon as possible so the broken validation routine is corrected and forged payloads are rejected going forward.

That said, patching alone may not fully close the exposure. Both reports note that tokens issued during the vulnerable period can remain valid after upgrading unless the Data Protection key ring is rotated. In practice, organizations should treat key rotation as part of the remediation workflow, especially for internet-facing apps that rely heavily on cookies, antiforgery tokens, password-reset flows, or other signed application state. That last prioritization is an operational inference based on the affected token types and exploit preconditions.

A practical response plan is to identify non-Windows ASP.NET Core applications that loaded the vulnerable NuGet package at runtime, patch them to 10.0.7, rotate the Data Protection key ring, and review whether privileged sessions or other signed artifacts may have been issued while the application was exposed. Where feasible, teams should also consider expiring or reissuing sensitive session material after remediation. The package-and-runtime triage criteria come directly from Microsoft’s published conditions; the token review and reissuance step is a reasonable defensive inference from Microsoft’s warning that legitimately signed tokens may survive the upgrade.

Additionally, by leveraging SOC Prime’s AI-Native Detection Intelligence Platform backed by top cyber defense expertise, global organizations can adopt a resilient security posture and transform their SOC to always stay ahead of emerging threats tied to zero-day exploitation.

The post CVE-2026-40372: Critical ASP.NET Core Flaw May Let Attackers Gain SYSTEM Privileges appeared first on SOC Prime.

Phishing remains one of the most effective tactics in the cybercriminal playbook, particularly when attackers exploit urgent humanitarian themes, trusted online resources, and legitimate system tools to increase victim engagement. Europol also notes that phishing continues to serve as a primary delivery vector for data-stealing malware. This pattern is clearly reflected in the latest activity tracked by CERT-UA, where threat actors used humanitarian-aid themed lures and multi-stage malware delivery to target Ukrainian organizations.

In a CERT-UA article, researchers described a UAC-0247 campaign targeting local self-government bodies, communal healthcare institutions, and likely representatives of Ukraine’s Defense Forces. The operation ultimately deployed AGINGFLY and related malicious tools, combining phishing, deceptive web delivery, and abuse of legitimate Windows utilities to establish access and support follow-on compromise.

CERT-UA’s latest reporting highlights another wave of phishing-driven intrusions targeting Ukraine’s civilian and potentially defense-adjacent sectors. In the campaign described in the article, attackers used humanitarian-aid themed emails to lure victims into opening malicious content that eventually deployed AGINGFLY, a malware family associated with remote access, credential theft, and follow-on post-compromise activity. The observed targets included local self-government bodies, communal healthcare institutions, including clinical and emergency hospitals, and likely individuals connected to FPV drone operations.

Sign up for the SOC Prime Platform to proactively defend your organization against UAC-0247 attacks. Just press Explore Detections below and access a relevant detection rule stack, enriched with AI-native CTI, mapped to the MITRE ATT&CK® framework, and compatible with a wide range of SIEM, EDR, and Data Lake technologies.

Security teams can search the Threat Detection Marketplace using the “UAC-0247” tag to identify relevant detections and monitor related content updates. Cyber defenders can also rely on Uncoder AI to convert raw threat intelligence into performance-optimized queries, document and improve rule logic, and generate Attack Flows based on the latest CERT-UA reporting.

Explore Detections

Analyzing UAC-0247 Attacks Delivering AGINGFLY via Humanitarian-Themed Phishing Lures

According to CERT-UA, the attack chain began with phishing emails disguised as humanitarian aid proposals. Victims were prompted to click a link that redirected either to a legitimate website compromised through cross-site scripting (XSS) or to a fake website generated with AI tools. In both scenarios, the objective was to persuade the victim to download and open an archive containing a malicious LNK file.

Once launched, the shortcut file abused mshta.exe to retrieve and execute a remote HTA file. The HTA displayed a decoy form to distract the victim while simultaneously downloading an executable that injected shellcode into a legitimate process, such as RuntimeBroker.exe. CERT-UA also noted that more recent stages of the campaign relied on a two-stage loader, with the second stage using a proprietary executable format and the final payload additionally compressed and encrypted to complicate detection and analysis.

Among the next-stage components identified in the campaign were RAVENSHELL, which acted as a reverse-shell style stager, SILENTLOOP, a PowerShell-based tool capable of executing commands and obtaining command-and-control data, and AGINGFLY, the primary malware family used in the operation. CERT-UA-linked reporting indicates that AGINGFLY is designed for remote control, data theft, and follow-on compromise activity.

The campaign also supported credential theft, reconnaissance, and lateral movement. Investigators observed the use of tooling to extract data from Chromium-based browsers, access messaging-related data, scan internal networks, and tunnel traffic across compromised environments. In one of the investigated cases, forensic evidence suggested that representatives of Ukraine’s Defense Forces may have been targeted using malicious ZIP archives distributed via Signal and designed to deploy AGINGFLY through DLL side-loading.

To reduce exposure to this activity, CERT-UA recommends restricting the execution of risky file types such as LNK, HTA, and JS, while also limiting or closely monitoring the use of native Windows tools frequently abused in the infection chain, including mshta.exe, powershell.exe, and wscript.exe.

MITRE ATT&CK Context

Leveraging MITRE ATT&CK helps contextualize the latest UAC-0247 activity. Based on the reported TTPs, the most relevant techniques likely include Phishing: Spearphishing Link (T1566.002), Command and Scripting Interpreter, Process Injection (T1055), Web Protocols / WebSockets for C2, Credential Access, and Lateral Movement via tunneling and proxying tools. This mapping reflects the phishing lures, deceptive web delivery, LNK-to-HTA execution, shellcode injection, AGINGFLY deployment, and follow-on credential theft and internal reconnaissance.

The post UAC-0247 Attack Detection: AGINGFLY Malware Targets Hospitals, Local Governments, and FPV Operators in Ukraine appeared first on SOC Prime.