Unit 42 details CVE-2026-0300, a buffer overflow vulnerability in the PAN-OS User-ID Authentication Portal. Read now for details.

The post Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution appeared first on Unit 42.

The post Cisco Unity Connection Flaws Enable Full System Takeover appeared first on Daily CyberSecurity.

The post Critical Redis Patches Fix RCE and Memory Corruption Flaws appeared first on Daily CyberSecurity.

Google patched an Android zero-click RCE flaw affecting multiple versions. Here’s what IT teams should know and how to reduce mobile risk.

The post Google Update: Android Flaw Could Put Billions of Devices at Risk appeared first on TechRepublic.

The post Root RCE and Authentication Lockout Bypass: Public PoC Released for Critical OPNsense Firewall Vulnerabilities appeared first on Daily CyberSecurity.

The post Critical 9.8 CVSS Flaws in Qualcomm Chipsets Enable Remote Takeover appeared first on Daily CyberSecurity.

The post Millions at Risk: Apache HTTP Server Fixes Critical Remote Code Execution Flaw appeared first on Daily CyberSecurity.

The post Critical Zero-Click Android Flaw Grants Remote Shell Access Without Interaction appeared first on Daily CyberSecurity.

The post Full Exploit Disclosed: Public PoC and Technical Details Released for Critical ProFTPD SQL Injection appeared first on Daily CyberSecurity.

The post Chrome Security Alert: Google Patches 30 Vulnerabilities in Massive Desktop Update appeared first on Daily CyberSecurity.

The post Git Push to Root: AI-Augmented Research Uncovers Critical GitHub RCE (CVE-2026-3854) appeared first on Daily CyberSecurity.

Cisco has released security updates to fix multiple vulnerabilities in its Identity Services Engine and Webex Services, warning that successful exploitation could lead to remote code execution, root-level access, and user impersonation. The Cisco ISE vulnerabilities affect widely used enterprise authentication and collaboration systems, making patching a priority for organizations. The Cisco ISE vulnerabilities and the Webex Services flaw have not been observed in active exploitation so far. However, the company has urged customers to update affected systems immediately to reduce risk exposure.

Critical Cisco ISE Vulnerabilities Enable Remote Code Execution

The most severe issues impact Cisco Identity Services Engine (ISE) and its Passive Identity Connector (ISE-PIC). These Cisco ISE vulnerabilities stem from insufficient validation of user-supplied input, a flaw that allows attackers to send specially crafted HTTP requests to targeted systems. Among them, CVE-2026-20147 carries a CVSS score of 9.9 and allows an authenticated attacker with administrative credentials to execute arbitrary commands on the underlying operating system. According to Cisco, this could enable attackers to gain user-level access and then escalate privileges to root. Two additional vulnerabilities, CVE-2026-20180 and CVE-2026-20186, also rated 9.9, allow attackers with read-only administrative access to execute arbitrary commands. These Cisco ISE vulnerabilities highlight how even limited privileges can be leveraged for deeper system compromise. Cisco noted that exploitation in single-node deployments could disrupt services entirely, potentially leading to a denial-of-service condition where new endpoints cannot authenticate to the network.

Webex Services Flaw Risks User Impersonation

Alongside the Cisco ISE vulnerabilities, a critical issue has been identified in Cisco Webex Services. Tracked as CVE-2026-20184 with a CVSS score of 9.8, the flaw affects single sign-on integration with Control Hub. This vulnerability is caused by improper certificate validation and could allow an unauthenticated remote attacker to impersonate any user within the service. Successful exploitation could result in unauthorized access to legitimate Webex accounts, raising concerns for enterprises relying on the platform for communication and collaboration.

Affected Versions and Exposure

The Cisco ISE vulnerabilities impact multiple versions of the platform. All Cisco ISE versions 3.5 and earlier are affected by CVE-2026-20147, while versions 3.4 and earlier are vulnerable to CVE-2026-20180 and CVE-2026-20186. Cisco ISE-PIC systems are also impacted regardless of configuration. For Webex Services, the vulnerability affects deployments using SSO integration with Control Hub. Cisco emphasized that the vulnerabilities are independent of each other, meaning exploitation of one does not require another. Some versions may be affected by specific flaws while not impacted by others.

No Workarounds Available, Patching is Essential

Cisco has confirmed that there are no workarounds to mitigate these vulnerabilities. Organizations must apply the available software updates to fully address the risks. Fixed releases have been issued across supported versions. For example, patches include ISE 3.1 Patch 11, 3.2 Patch 10, 3.3 Patch 11, 3.4 Patch 6, and 3.5 Patch 3. Systems running versions earlier than 3.1 are advised to migrate to a supported release. Security teams are also advised to review system configurations and ensure that upgrade prerequisites such as hardware compatibility and memory requirements are met before deployment.

No Active Exploitation Reported But Risk Remains High

The Cisco Product Security Incident Response Team has stated that it is not aware of any public exploitation or malicious use of these vulnerabilities at the time of disclosure. The issues were reported by Jonathan Lein of TrendAI Research. Despite the lack of active attacks, the severity of the Cisco ISE vulnerabilities and the Webex flaw places them in a high-risk category. Vulnerabilities that allow remote code execution or user impersonation are often targeted quickly once technical details become public.

Security Implications for Enterprises

The Cisco ISE vulnerabilities are particularly significant because ISE plays a central role in network access control, authentication, and policy enforcement. A compromise could provide attackers with deep visibility and control over enterprise networks. Similarly, the Webex vulnerability introduces risks to identity and access management, especially in environments that rely on SSO for centralized authentication. Organizations using affected products are advised to prioritize patching, restrict administrative access where possible, and monitor systems for suspicious activity. Cisco has made detailed advisories and upgrade guidance available through its security portal, and customers are encouraged to follow official recommendations to secure their environments.

Microsoft’s April 2026 Patch Tuesday fixes 165 vulnerabilities, including two zero-days, in one of the company’s largest monthly security updates.

The post Microsoft Issues Massive Windows Patch for 160+ Bugs, Including Two Zero-Days appeared first on TechRepublic.

A recently disclosed Kali Forms vulnerability affecting a widely used WordPress plugin has escalated into an active security threat, enabling unauthenticated attackers to achieve Remote Code Execution on affected websites. The flaw impacts Kali Forms, a drag-and-drop form builder with more than 10,000 active installations, and has already been exploited in the wild shortly after public disclosure.  Security researchers reported that the vulnerability was first submitted on March 2, 2026, through a bug bounty program, identifying a critical Remote Code Execution issue in the Kali Forms vulnerability chain. The vendor released a patched version on March 20, 2026, and the issue was simultaneously added to the Wordfence Intelligence database. On the same day, attackers began actively exploiting it on scale. 

Timeline of the Kali Forms Vulnerability in the WordPress Plugin Ecosystem 

The Kali Forms vulnerability followed a rapid disclosure-to-exploitation cycle: 

• March 2, 2026: Initial submission of the Remote Code Execution flaw via bug bounty reporting. 
• March 5, 2026: Wordfence Premium, Care, and Response users received firewall protection. 
• March 20, 2026: Patched version released; vulnerability publicly disclosed; attackers began exploiting the same day. 
• April 4, 2026: Free Wordfence users received delayed firewall protection. 
• April 4–10, 2026: Peak exploitation activity observed against the Kali Forms vulnerability. 

The patched release addressed the issue in version 2.4.10 of the WordPress plugin, while all versions up to and including 2.4.9 remained vulnerable. 

Technical Root Cause Behind the Kali Forms Vulnerability

The core of this WordPress plugin flaw lies in how user-supplied form data is processed and stored internally. The vulnerability resides in the form_process flow and the prepare_post_data() function, which incorrectly maps attacker-controlled input into internal placeholder storage without proper validation or allow-list restrictions.  These placeholders are later used in the _save_data() method, where unsafe execution occurs through call_user_func().  A simplified excerpt of the vulnerable logic includes: 

if (isset($this->placeholdered_data['{entryCounter}'])) {    $this->placeholdered_data['{entryCounter}'] =        call_user_func($this->placeholdered_data['{entryCounter}'], $this->post->ID); } 

Because the Kali Forms vulnerability allows attackers to fully control values like {entryCounter} and {thisPermalink}, an unauthenticated user can inject arbitrary PHP function names. These are then executed directly, resulting in Remote Code Execution (RCE) attacks.  Researchers noted that the lack of input restrictions in prepare_post_data() enables overwriting internal placeholders. As a result, attacker-controlled values flow directly into call_user_func(), making exploitation trivial once the request is submitted.  One observed abuse pattern demonstrates authentication bypass attempts using built-in WordPress functions. For example, attackers can assign: 

• {entryCounter} = wp_set_auth_cookie  

• formId = 1  

This leads to execution of wp_set_auth_cookie(1), which may log attackers in as the default administrator account if it exists, effectively turning the Kali Forms vulnerability into a full account takeover vector. 

Active Exploitation of the Kali Vulnerability in Real-world Attacks 

Telemetry from security monitoring shows that exploitation began immediately after disclosure. Attackers have been systematically targeting the WordPress plugin using automated requests to admin-ajax.php.  A representative exploit request includes: 

POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded action=kaliforms_form_process& data[formId]=1& data[nonce]=66ddddb2b7& data[entryCounter]=wp_set_auth_cookie 

This confirms how the Remote Code Execution flaw is triggered through manipulated form submission data.  Security systems recorded significant attack volume: 

• Over 312,200 exploit attempts were blocked targeting the Kali Forms vulnerability. 
• Heavy targeting was observed immediately after March 20, 2026 disclosure. 
• Increased spike in activity between April 4 and April 10, 2026. 

Top Attacking IP Addresses Observed 

Threat intelligence identified several IPs responsible for large-scale exploitation attempts: 

• 209.146.60.26 – over 152,000 blocked requests  
• 49.156.40.126 – over 50,000  
• 124.248.183.139 – over 26,000  
• 202.56.2.126 – over 14,000  
• 130.12.182.154 – over 11,000  
• 104.28.160.197 – over 9,000  
• 1.53.114.181 – over 5,700  
• 157.15.40.74 – over 3,000  
• 114.10.99.126 – over 2,500  
• 83.147.12.83 – over 1,300  

These sources were repeatedly associated with exploitation attempts targeting the Kali Forms vulnerability in the affected WordPress plugin. 

A critical Adobe Acrobat zero-day has been exploited for months via malicious PDFs to steal data and potentially take over systems, with no patch yet available.

The post Hackers Exploit Adobe PDF Flaw for Months to Steal Data, No Fix Yet appeared first on TechRepublic.

During a recent penetration test, we came across an AI-powered desktop application that acted as a bridge between Claude (Opus 4.5) and a third-party asset management platform. The idea is simple: instead of clicking through dashboards and making API calls, users just ask the agent to do it for them. “How many open tickets do […]

The post Which Came First: The System Prompt, or the RCE? appeared first on Praetorian.

The post Which Came First: The System Prompt, or the RCE? appeared first on Security Boulevard.

Microsoft releases an out-of-band hotpatch for critical Windows 11 RRAS vulnerabilities that could allow remote code execution through malicious remote servers.

The post Microsoft Issues Emergency Patch for Critical Windows 11 RRAS Vulnerabilities appeared first on TechRepublic.

Google released a Chrome security update patching three high-severity vulnerabilities, including memory flaws that could enable remote attacks.

The post Google Alerts Users to Serious Chrome Bugs With Takeover Risk appeared first on TechRepublic.

CVE-2026-1731 is an RCE vulnerability in identity platform BeyondTrust. This flaw allows attackers control of systems without login credentials.

The post VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731) appeared first on Unit 42.

We discuss widespread exploitation of Ivanti EPMM zero-day vulns CVE-2026-1281 and CVE-2026-1340. Attackers are deploying web shells and backdoors.

The post Critical Vulnerabilities in Ivanti EPMM Exploited appeared first on Unit 42.