Cyber Exposure Alerts From Tenable
- CVE-2026-32201, CVE-2026-45659, CVE-2026-56164: Frequently Asked Questions About Active Exploitation of Microsoft SharePoint Server Vulnerabilitiesby Research Special Operations on July 16, 2026 at 12:00 pm
Four Microsoft SharePoint Server vulnerabilities are under active exploitation, prompting CISA to issue a hardening alert. An additional high-severity flaw recently patched adds pressure for organizations running on-premises deployments.Key TakeawaysCISA confirmed active exploitation of three on-premises SharePoint Server vulnerabilities (CVE-2026-32201, CVE-2026-45659, CVE-2026-56164), used to gain unauthorized access, establish remote code execution, steal IIS machine keys and deploy malware for persistence.Two additional SharePoint Server vulnerabilities disclosed on July 14, 2026, CVE-2026-55040 and CVE-2026-58644, were not yet observed exploited at the time of publication, but Microsoft has flagged CVE-2026-58644 as exploited on July 15.Microsoft released patches for all five vulnerabilities and Microsoft Defender Antivirus detection signatures are available to identify exploitation activity for three of the actively exploited flaws.BackgroundTenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding active exploitation of Microsoft SharePoint Server vulnerabilities.FAQWhen did CISA issue an alert about SharePoint Server exploitation?On July 14, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published an alert confirming active exploitation of three on-premises SharePoint Server vulnerabilities: CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164. The alert noted that these flaws had been used to gain unauthorized access to SharePoint deployments across all supported on-premises versions and flagged two additional high-risk vulnerabilities, CVE-2026-55040 and CVE-2026-58644, as not yet exploited but warranting immediate patching. However in an update to the security advisory on July 15, Microsoft confirmed CVE-2026-58644 has been exploited in the wild.What vulnerabilities are covered in this alert?Five Microsoft SharePoint Server vulnerabilities are covered in CISA’s alert: Four with confirmed active exploitation and one newly disclosed high-severity flaw that Microsoft assesses as “Exploitation More Likely” according to Microsoft’s Exploitability Index. All five affect all supported on-premises SharePoint Server versions: Subscription Edition, 2019, and 2016.CVEDescriptionCVSSv3VPRCVE-2026-32201Microsoft SharePoint Server Spoofing Vulnerability6.57.2CVE-2026-45659Microsoft SharePoint Remote Code Execution Vulnerability8.89.4CVE-2026-56164Microsoft SharePoint Server Elevation of Privilege Vulnerability9.8 – NVD5.3 – Microsoft9.5CVE-2026-55040Microsoft SharePoint Server Security Feature Bypass Vulnerability9.17.3CVE-2026-58644Microsoft SharePoint Server Remote Code Execution Vulnerability9.87.9*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on July 16 and reflects VPR at that time.What do the actively exploited vulnerabilities do?CVE-2026-32201 is a spoofing flaw rooted in improper input validation. An unauthenticated remote attacker can exploit it over a network without user interaction.CVE-2026-45659 is a remote code execution (RCE) vulnerability involving deserialization of untrusted data. An authenticated attacker can exploit this flaw in order to execute code on an affected SharePoint server.CVE-2026-56164 is an elevation of privilege vulnerability. An unauthenticated attacker can exploit it remotely to elevate privileges on a SharePoint Server.CVE-2026-58644 is a RCE vulnerability that can be abused by an authenticated attacker with at least Site Owner permissions. Successful exploitation would allow the attacker to achieve code execution by exploiting a deserialization of untrusted data flaw.What post-exploitation activity has been observed?According to CISA, attackers have combined CVE-2026-32201, CVE-2026-45659 and CVE-2026-56164 to gain entry to on-premises SharePoint Server instances, then pursued several post-exploitation objectives: extracting IIS machine keys, leveraging deserialization techniques to establish persistence, and deploying malware. CISA notes that stolen machine keys can be used to forge requests enabling further exploitation of the server. The advisory notes that key rotation alone is not a complete remediation step, without first removing any key-harvesting artifacts.What is CVE-2026-55040, the vulnerability that has not yet been exploited?CVE-2026-55040 is a security feature bypass rooted in weak authentication. It was assigned a CVSSv3 score of 9.1 and rated as critical. An unauthenticated attacker can exploit it over the network, without user interaction allowing the attacker to impact both confidentiality and integrity.Both CVE-2026-55040 and CVE-2026-58644 were disclosed on July 14, 2026, as part of Microsoft’s July 2026 Patch Tuesday release. As of July 16, 2026, CVE-2026-55040 has not been observed being exploited in the wild.What is the history of exploitation for Microsoft SharePoint Server?Microsoft SharePoint Server has been a recurring target for threat actors across multiple years. CISA’s Known Exploited Vulnerabilities (KEV) catalog contains 12 SharePoint-related entries, including seven currently known to be used in ransomware campaigns. The table below outlines prior SharePoint CVEs added to the KEV catalog.CVEDate Added to KEVKnown RansomwareTenable CoverageCVE-2026-561642026-07-14UnknownJuly 2026 Patch TuesdayCVE-2026-456592026-07-01Unknown–CVE-2026-322012026-04-14UnknownApril 2026 Patch TuesdayCVE-2026-209632026-03-18Unknown–CVE-2025-497062025-07-22YesJuly 2025 Patch TuesdayCVE-2025-497042025-07-22YesJuly 2025 Patch TuesdayCVE-2025-537702025-07-20YesFAQ BlogCVE-2024-380942024-10-22Yes–CVE-2023-249552024-03-26YesExploit Chain Released for Microsoft SharePoint Server VulnerabilitiesCVE-2023-293572024-01-10YesJune 2023 Patch TuesdayExploit Chain Released for Microsoft SharePoint Server VulnerabilitiesCVE-2019-06042021-11-03YesCritical Microsoft SharePoint Remote Code Execution Flaw Actively ExploitedCVE-2020-11472021-11-03Unknown–Which threat actors are exploiting these SharePoint vulnerabilities?As of July 16, 2026, neither CISA nor Microsoft has attributed the active exploitation of CVE-2026-32201, CVE-2026-45659, CVE-2026-56164 or CVE-2026-58644 to specific threat actors or groups.Is there a proof-of-concept available for any of these vulnerabilities?As of July 16, 2026, no public proofs-of-concept are available for any of the five vulnerabilities covered in this FAQ.Are patches and mitigations available?Microsoft released patches for all five vulnerabilities. The table below lists the fixed build numbers for each affected SharePoint version.CVESharePoint Enterprise Server 2016SharePoint Server 2019SharePoint Server Subscription EditionCVE-2026-3220116.0.5548.100316.0.10417.2011416.0.19725.20210CVE-2026-4565916.0.5552.100216.0.10417.2012816.0.19725.20280CVE-2026-5616416.0.5561.100116.0.10417.2017516.0.19725.20434CVE-2026-5504016.0.5561.100116.0.10417.2017516.0.19725.20434CVE-2026-5864416.0.5556.100516.0.10417.2015316.0.19725.20384The CISA advisory and several of the Microsoft security advisories recommend enabling AMSI integration on SharePoint and IIS worker processes and setting the Request Body Scan mode to Full to allow detection of malicious POST payloads. CISA’s hardening guidance also advises against direct internet exposure of SharePoint Servers and recommends restricting external access to SharePoint Central Administration.Are there indicators of compromise?Yes. CISA and Microsoft have published AMSI and Microsoft Defender Antivirus detection signatures for the three actively exploited vulnerabilities.SignatureTypeScopeExploit:Script/SuspSignoutReqBody.AAMSIRequest body scanning; SharePoint Server Subscription Edition only; Microsoft reports active exploitation attempts have been blockedExploit:Script/ToolPaneAuthBypass.AAMSIRequest header scanning; SharePoint Server 2016, 2019, and Subscription EditionExploit:Script/ToolPaneAuthBypass.CAMSIRCE coverage; SharePoint Server 2016, 2019, and Subscription EditionBackdoor:MSIL/LeakFang.A!dhaMDAVPost-exploitation activity; IIS machine key accessCISA recommends reviewing telemetry for anomalous requests, suspicious SharePoint worker-process activity, webshells and machine-key access activity.Has Tenable Research classified these vulnerabilities as part of Vulnerability Watch?Yes. Tenable Research has classified CVE-2026-32201, CVE-2026-45659 and CVE-2026-56164 and CVE-2026-58644 as part of Vulnerability Watch. The designation applies to flaws with confirmed in-the-wild exploitation and the potential for widespread impact across affected organizations. We are actively tracking developments related to this activity and will update this post as new information becomes available.Has Tenable released product coverage for these vulnerabilities?A list of Tenable plugins can be found on the individual CVE pages:CVE-2026-32201CVE-2026-45659CVE-2026-56164CVE-2026-55040CVE-2026-58644This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.Additionally, Tenable Attack Surface Management customers can identify external-facing assets by leveraging the built-in subscription labeled Microsoft Sharepoint Server – v1.Get more informationCISA: CISA Urges SharePoint Hardening After New ExploitationsTenable: Microsoft’s July 2026 Patch Tuesday Addresses 569 CVEs (CVE-2026-56155, CVE-2026-56164)Join Tenable’s Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
- CVE-2026-15409, CVE-2026-15410: SonicWall SMA 1000 zero-day vulnerabilities exploited in the wildby Scott Caveza on July 15, 2026 at 1:14 pm
SonicWall patched two recently exploited zero-day vulnerabilities in its SMA 1000 Series secure remote access appliances which may have been chained for unauthenticated remote code execution.Key takeawaysCVE-2026-15409 and CVE-2026-15410 are a pair of exploited vulnerabilities that may have been chained together to allow for code execution on SonicWall SMA1000 series appliances. Zero-day exploitation of these vulnerabilities has been observed and confirmed by SonicWall. Patches and indicators of compromise are available and urgent patching is recommended.BackgroundSonicWall’s Secure Mobile Access (SMA) 1000 Series appliances are enterprise-grade SSL VPN gateways which serve as the front door to organizational networks. The SMA series models sit at the edge of the network, internet-facing by design. Because SMA 1000 appliances aggregate remote access credentials and sit directly on the internet, they represent high-value targets for attackers. A compromise at the appliance level can yield administrator credentials, VPN session tokens, and detailed knowledge of the internal network architecture sitting behind the gateway.On July 14, SonicWall disclosed two vulnerabilities that are being exploited together in the wild:CVEDescriptionCVSSv3CVE-2026-15409SonicWall SMA 1000 server-side request forgery (SSRF) vulnerability10CVE-2026-15410SonicWall SMA 1000 remote code execution vulnerability (RCE)7.2While the advisory does not specify if they were exploited in tandem, together they form a fully remote, unauthenticated path to arbitrary OS command execution on affected appliances.AnalysisCVE-2026-15409 is a SSRF vulnerability affecting the SMA 1000 Workplace interface. This flaw allows a remote, unauthenticated attacker to make network requests to locations of the attacker’s choosing. In practice, SSRF on an internet-facing appliance can serve as a pivot, allowing an attacker to probe internal services, relay authentication material, or reach the AMC in a way that bypasses normal access controls.CVE-2026-15410 is a code injection vulnerability in the Appliance Management Console (AMC). The AMC is the administrative interface used to configure the appliance, manage users, set access policies, and monitor sessions. While this flaw does require the user to be authenticated, the potential chaining of these vulnerabilities makes the exploitation path possible without authentication.These flaws have been exploited in the wild as zero-days. While SonicWall has not provided any details on attribution of which threat actors may be behind the attacks, several SonicWall vulnerabilities have been targeted in the past, including the exploitation of zero-days.Historical exploitation of SonicWall vulnerabilitiesSonicWall products have been a frequent target for attackers over the years. Specifically, the SMA product line has been targeted in the past by ransomware groups, as well as being featured in the Top Routinely Exploited Vulnerabilities list co-authored by multiple United States and International Agencies. Last year, a surge in ransomware activity was tied to the exploitation of SonicWall Gen 7 Firewalls, prompting warnings from multiple security vendors.Given the historical exploitation of SonicWall devices, we put together the following list of known SMA vulnerabilities that have been exploited in the wild:CVEDescriptionTenable Blog LinksYearCVE-2019-7481SonicWall SMA100 SQL Injection Vulnerability12019CVE-2019-7483SonicWall SMA100 Directory Traversal Vulnerability-2019CVE-2021-20016SonicWall SSLVPN SMA100 SQL Injection Vulnerability1, 2, 3, 4, 52021CVE-2021-20038SonicWall SMA100 Stack-based Buffer Overflow Vulnerability1, 2, 32021CVE-2025-23006SonicWall SMA 1000 Deserialization of Untrusted Data Vulnerability12025CVE-2024-40766SonicWall SonicOS Improper Access Control Vulnerability12025CVE-2025-40602SonicWall SMA 1000 Privilege Escalation Vulnerability12025Both CVE-2026-15409 and CVE-2026-15410 have been added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog with a remediation date of Friday, July 17, despite only being added on July 14. Given the urgency surrounding these vulnerabilities and the historical exploitation of these devices, immediate patching is recommended.Proof of conceptAt the time this blog was published, no proof-of-concept (PoC) code had been published for CVE-2026-15409 or CVE-2026-15410. If and when a public PoC exploit becomes available for these vulnerabilities, we anticipate an increase in exploitation as attackers will attempt to leverage these flaws as part of their attacks.SolutionSonicWall has released patches to address this vulnerability in SMA1000 models 6210, 7210 and 8200v as outlined in the table below:Affected VersionFixed Version12.4.3-0324512.4.3-03453 and later versions12.4.3-0338712.4.3-03453 and later versions12.4.3-0343412.4.3-03453 and later versions12.5.0-0228312.5.0-02835 and later versions12.5.0-0262412.5.0-02835 and later versions12.5.0-0280012.5.0-02835 and later versionsWhile the advisory does not provide any workarounds, it does include indicators of compromise (IoCs) for threat hunters to determine if any exploitation has impacted their devices. We recommend reviewing the advisory for the most up to date IoCs.Identifying affected systemsA list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2026-15409 and CVE-2026-15410 as they’re released. This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.Tenable Attack Surface Management customers are able to identify these assets using a filtered search for SonicWall devices:Get more informationSonicWall Security Advisory SNWLID-2026-0008Join Tenable’s Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
- Microsoft’s July 2026 Patch Tuesday Addresses 569 CVEs (CVE-2026-56155, CVE-2026-56164)by Research Special Operations on July 14, 2026 at 2:23 pm
56Critical510Important3Moderate0LowMicrosoft addresses 569 CVEs in the largest Patch Tuesday release yet. This month’s release includes three zero-days, two of which were exploited in the wild.Microsoft patched 569 CVEs in its July 2026 Patch Tuesday release, with 56 rated critical, 510 rated as important, and 3 rated as moderate. This marks the largest Patch Tuesday release ever, crushing the previous record of 198 CVEs in June. Last week, Microsoft announced that its multi-model agentic scanning harness (MDASH) is being used to identify vulnerabilities faster and noted that “customers will see a higher volume of security updates included in each security release.”This month’s update includes patches for:.NET.NET Core.NET FrameworkASP.NET CoreActive Directory Certificate Services (AD CS)Active Directory Domain ServicesActive Directory Federation Services (AD FS)Azure Active DirectoryAzure CycleCloudAzure Monitor AgentAzure Spring AppsCode Integrity DLL (ci.dll)Composite Image File System DriverContent Delivery ManagerDesktop Window ManagerExtensible Storage Engine (ESENT)GitHub Copilot and Visual StudioGitHub Copilot and Visual Studio CodeGithub CopilotHTTP/2Microsoft 365 Copilot for iOSMicrosoft Bing App for IOSMicrosoft CopilotMicrosoft DefenderMicrosoft Defender for EndpointMicrosoft Dynamics NAVMicrosoft Edge for AndroidMicrosoft Exchange ServerMicrosoft Fabric Data WarehouseMicrosoft Graphics ComponentMicrosoft Input Method Editor (IME)Microsoft Install ServiceMicrosoft NAT Helper Components (ipnathlp.dll)Microsoft OfficeMicrosoft Office ExcelMicrosoft Office OneNoteMicrosoft Office PowerPointMicrosoft Office SharePointMicrosoft Office WordMicrosoft Printer DriversMicrosoft SurfaceMicrosoft WindowsMicrosoft Windows App StoreMicrosoft Windows Codecs LibraryMicrosoft Windows Media FoundationMicrosoft Windows Search ComponentMicrosoft Windows SpeechMicrosoft XMLMicrosoft XML Core ServicesMinecraft Bedrock Dedicated ServerOutlook CopilotPower BIQuality Windows Audio/Video Experience (QWAVE) serviceRPC RuntimeReliable Multicast Transport Driver (RMCAST)Remote Desktop ClientRole: DNS ServerSQL ServerSQL Server ODBC driverUniversal Plug and Play (upnp.dll)Virtual Hard Disk (VHD) Miniport DriverVisual StudioVisual Studio CodeWindow PC ManagerWindows Active DirectoryWindows Admin CenterWindows Ancillary Function Driver for WinSockWindows App InstallerWindows AppX Deployment ServiceWindows Application ModelWindows Audio Compression Manager (ACM)Windows Audio ServiceWindows Backup EngineWindows BitLockerWindows Bluetooth Port DriverWindows Bluetooth ServiceWindows Boot LoaderWindows Brokering File SystemWindows Client-Side Caching (CSC) ServiceWindows Clip ServiceWindows Clipboard ServerWindows Clipboard User ServiceWindows Cloud Files Mini Filter DriverWindows Common Log File System DriverWindows Connected User Experiences and TelemetryWindows Container Isolation FS Filter Driver (unionfs.sys)Windows CryptoAPIWindows Cryptographic ServicesWindows DHCP ClientWindows DHCP ServerWindows DNSWindows DWMWindows DWM Core LibraryWindows Data.dllWindows Devices Human InterfaceWindows DirectXWindows Domain ControllerWindows Event Logging ServiceWindows FTP ServiceWindows File ExplorerWindows File History ServiceWindows Filtering Platform (WFP)Windows GDIWindows GDI+Windows Graphics KernelWindows Group PolicyWindows HTTP.sysWindows Hyper-VWindows Image AcquisitionWindows InstallerWindows Internal System User ProfileWindows Internal Task BarWindows Internet Key Exchange (IKE) ProtocolWindows KernelWindows Kernel Mode DriverWindows Kernel-Mode DriversWindows Key GuardWindows LUAFVWindows Local Security Authority Subsystem Service (LSASS)Windows MIDI Service ModuleWindows Management ServicesWindows MediaWindows Message QueuingWindows Message Queuing Queue ManagerWindows NTFSWindows Narrator BrailleWindows NetlogonWindows Network Address Translation (NAT)Windows Network File SystemWindows Network Policy Server SNMPWindows NotificationWindows OLEWindows Operating SystemsWindows Overlay FilterWindows PowerShellWindows Presentation Foundation (WPF)Windows Print Spooler ComponentsWindows Projected File SystemWindows Push NotificationsWindows Quality of Service (QoS) Packet SchedulerWindows RDPWindows RPC APIWindows Redirected Drive BufferingWindows Remote Access Connection ManagerWindows Remote Access Service InfrastructureWindows Remote Desktop ProtocolWindows Remote Desktop ServicesWindows Remote Help DefenseWindows Resilient File System (ReFS)Windows Routing and Remote Access Service (RRAS)Windows RuntimeWindows SMBWindows SMB ServerWindows SMB Server Network Transport Driver (srvnet.sys)Windows SchannelWindows Secure BootWindows Secure Kernel ModeWindows Secure Socket Tunneling Protocol (SSTP)Windows Sensor Data ServiceWindows ServerWindows Server BackupWindows Server Network driverWindows Server Update ServiceWindows Spaceport.sysWindows StateRepository APIWindows StorageWindows Storage Spaces DirectWindows Subsystem for LinuxWindows SystemWindows TCP/IPWindows Telephony ServiceWindows TerminalWindows Trusted Runtime Interface DriverWindows USB Audio Class driver (usbaudio.sys)Windows USB DriverWindows USB Hub DriverWindows USB Print DriverWindows USB Video DriverWindows Unified Consent SystemWindows Universal Disk Format File System Driver (UDFS)Windows User Interface CoreWindows VMSwitchWindows Virtual Filtering Platform (VFP)Windows WalletServiceWindows Web Proxy Auto-Discovery Protocol (WPAD)Windows WebViewWindows Win32KWindows Win32K – GRFXWindows Wireless NetworkingWindows Wireless Wide Area Network ServiceElevation of privilege (EoP) vulnerabilities accounted for 43.8% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 25.1%.ImportantCVE-2026-56155 | Active Directory Federation Services Elevation of Privilege VulnerabilityCVE-2026-56155 is an EoP vulnerability affecting Active Directory Federation Services. It received a CVSSv3 score of 7.8 and is rated important. Microsoft notes that this flaw was exploited in the wild as a zero-day and is credited to researchers with the Microsoft Detection and Response Team (DART). Successful exploitation would allow an attacker to gain administrator privileges.ModerateCVE-2026-56164 | Microsoft SharePoint Server Elevation of Privilege VulnerabilityCVE-2026-56164 is an EoP vulnerability in Microsoft SharePoint Server. It received a CVSSv3 score of 5.3 and is rated moderate. According to Microsoft, it was exploited in the wild as a zero-day. This vulnerability affects Microsoft SharePoint Server 2019, Microsoft SharePoint Server Subscription Edition, as well as SharePoint Server 2016 and SharePoint Enterprise Server 2016.Microsoft notes that its Antimalware Scan Interface (AMSI) integration can provide mitigation for this vulnerability by scanning for and detecting malicious POST requests.ImportantCVE-2026-50661 | Windows BitLocker Security Feature Bypass VulnerabilityCVE-2026-50661 is a security feature bypass vulnerability affecting Windows BitLocker. It received a CVSSv3 score of 6.1 and is rated as important. It was publicly disclosed prior to a patch being available and assessed as “Exploitation Less Likely” according to Microsoft’s Exploitability Index. While an exploit is public, the advisory notes that exploitation requires physical access to the target device.Microsoft did not provide any attribution other than to “Anonymous” though based on the advisory description, it’s possible this patch addresses GreatXML, a zero-day BitLocker bypass flaw disclosed by the researcher known as Chaotic Eclipse (Nightmare Eclipse). GreatXML was disclosed on June 10th, a day after the June Patch Tuesday release.CriticalCVE-2026-55944 | Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises) Remote Code Execution VulnerabilityCVE-2026-55944 is a RCE vulnerability in Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central. It received a CVSSv3 score of 9.8, is rated critical and assessed as “Exploitation More Likely.” Successful exploitation can be achieved by sending a crafted login request to an affected Dynamics NAV or Business Central server in order to trigger a deserialization of untrusted data vulnerability. Microsoft’s advisory cautions that no user-interaction is required, nor is authentication a requirement in order to successfully exploit this vulnerability.CriticalMultiple CVEs | Windows DHCP Server and Client Remote Code Execution, Elevation of Privilege and Denial of Service VulnerabilitiesThis month’s updates included patches to address multiple CVEs affecting DHCP Server and Windows DHCP Client. Of the nine CVEs, five were rated as critical and three were assessed as “Exploitation More Likely.” A breakdown of the CVEs can be found in the table below:CVEDescriptionCVSSv3SeverityExploitability IndexCVE-2026-50518Windows DHCP Server Remote Code Execution Vulnerability9.8CriticalExploitation More LikelyCVE-2026-50370DHCP Server Service Remote Code Execution Vulnerability8.8CriticalExploitation More LikelyCVE-2026-54128Windows DHCP Client Remote Code Execution Vulnerability8.4CriticalExploitation More LikelyCVE-2026-48564DHCP Server Service Remote Code Execution Vulnerability8.8CriticalExploitation Less LikelyCVE-2026-49181Windows DHCP Client Elevation of Privilege Vulnerability7.5ImportantExploitation Less LikelyCVE-2026-56159DHCP Server Service Remote Code Execution Vulnerability9.8CriticalExploitation UnlikelyCVE-2026-50683Windows DHCP Client Elevation of Privilege Vulnerability8.0ImportantExploitation UnlikelyCVE-2026-50685Windows DHCP Server Remote Code Execution Vulnerability7.5ImportantExploitation UnlikelyCVE-2026-58627Windows DHCP Server Denial of Service Vulnerability7.5ImportantExploitation UnlikelyImportantMultiple CVEs | Windows Kernel Elevation of Privilege VulnerabilityUpdates this month include 20 CVEs addressing EoP vulnerabilities in the Windows Kernel. CVSSv3 scores range from 4.7 to 9.3 and six of the 20 were assessed as “Exploitation More Likely.” Additionally, Windows Kernel saw several additional security fixes this month with six CVEs for Information Disclosure flaws and two security feature bypasses. A breakdown of the EoP CVEs can be found in the tables below:Windows Kernel Elevation of Privilege VulnerabilitiesCVECVSSv3SeverityExploitability IndexCVE-2026-497989.3ImportantExploitation More LikelyCVE-2026-497958.8ImportantExploitation More LikelyCVE-2026-503327.8ImportantExploitation More LikelyCVE-2026-504237.8ImportantExploitation More LikelyCVE-2026-504367.8ImportantExploitation More LikelyCVE-2026-503907.0ImportantExploitation More LikelyCVE-2026-504778.8ImportantExploitation Less LikelyCVE-2026-491737.8ImportantExploitation Less LikelyCVE-2026-498087.8ImportantExploitation Less LikelyCVE-2026-503997.8ImportantExploitation Less LikelyCVE-2026-504787.8ImportantExploitation Less LikelyCVE-2026-504847.8ImportantExploitation Less LikelyCVE-2026-506737.8ImportantExploitation Less LikelyCVE-2026-585327.8ImportantExploitation Less LikelyCVE-2026-503547.1ImportantExploitation Less LikelyCVE-2026-503977.0ImportantExploitation Less LikelyCVE-2026-504597.0ImportantExploitation Less LikelyCVE-2026-541326.8ImportantExploitation Less LikelyCVE-2026-503775.5ImportantExploitation Less LikelyCVE-2026-491674.7ImportantExploitation Less LikelyTenable SolutionsA list of all the plugins released for Microsoft’s July 2026 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.Get more informationMicrosoft’s July 2026 Security UpdatesTenable plugins for Microsoft July 2026 Patch Tuesday Security UpdatesJoin Tenable’s Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
- Oracle June 2026 Critical Security Patch Update Addresses 243 CVEs (CVE-2026-35273)by Research Special Operations on June 18, 2026 at 5:23 am
Oracle addresses 243 CVEs in its June 2026 Critical Security Patch Update with 245 patches, including 122 critical updates.Key TakeawaysThe June 2026 Critical Security Patch Update (CSPU) contains fixes for 243 unique CVEs in 245 security updates122 issues (49.8% of all patches) were assigned a critical severity ratingOracle Fusion Middleware received the highest number of patches at 106, accounting for 43.3% of all patchesBackgroundOn June 16, Oracle released its Critical Security Patch Update (CSPU) for June 2026. Beginning in May 2026, Oracle introduced CSPUs as a monthly release cycle that sits between the larger quarterly Critical Patch Updates (CPUs), addressing a focused set of high-severity issues on a faster cadence. This CSPU contains fixes for 243 unique CVEs in 245 security updates across 11 Oracle product families. Out of the 245 security updates published, 49.8% of patches were assigned a critical severity. Critical severity patches accounted for the bulk of security patches at 49.8%, followed by high severity patches at 42.4%.This month’s update includes 122 critical patches across 122 CVEs.SeverityIssues PatchedCVEsCritical122122High104102Medium1515Low44Total245243AnalysisThis month’s update saw the Oracle Fusion Middleware product family contain the highest number of patches at 106, accounting for 43.3% of the total patches, followed by Oracle E-Business Suite at 55 patches, which accounted for 22.4% of the total patches.A full breakdown of the patches for this CSPU can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.Oracle Product FamilyNumber of PatchesRemote Exploit without AuthOracle Fusion Middleware10653Oracle E-Business Suite556Oracle JD Edwards2012Oracle Enterprise Manager166Oracle Siebel CRM127Oracle PeopleSoft117Oracle Virtualization100Oracle MySQL84Oracle Communications33Oracle Systems31Oracle Supply Chain11Oracle PeopleSoft zero-day exploitedOn June 10, Oracle published an out-of-band Security Alert Advisory for CVE-2026-35273, a remote code execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools. On June 11, researchers at Google Threat Intelligence Group (GTIG) and Mandiant published a blog post confirming that CVE-2026-35273 was exploited in the wild as a zero-day by the extortion group ShinyHunters (UNC6240). The campaign, which affected over 100 global organizations, primarily impacted organizations within the United States, 68% of which were in the higher education sector. Organizations are advised to apply the available patches as soon as possible.SolutionCustomers are advised to apply all relevant patches in this CSPU. Please refer to the June 2026 advisory for full details.Identifying affected systemsA list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.Get more informationOracle Critical Security Patch Update Advisory – June 2026Oracle June 2026 Critical Security Patch Update Risk MatricesOracle Advisory to CVE MapJoin Tenable’s Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
- Microsoft’s June 2026 Patch Tuesday Addresses 198 CVEs ( CVE-2026-49160, CVE-2026-50507)by Research Special Operations on June 9, 2026 at 2:19 pm
32Critical166Important0Moderate0LowMicrosoft addresses 198 CVEs in the largest Patch Tuesday release, including three zero-days.Microsoft patched 198 CVEs in its June 2026 Patch Tuesday release, with 32 rated critical and 166 rated as important. Our counts omitted 6 CVEs that were already addressed by Microsoft via servicing and do not require additional customer action to resolve as well as 2 CVEs that were disclosed by other CNAs (CVE-2025-10263 and CVE-2026-8863). This Patch Tuesday release is the largest release since the Patch Tuesday program began, smashing the previous record of 167 CVEs in the October 2025 Patch Tuesday release.This month’s update includes patches for:.NETASP.NET CoreActive Directory Domain ServicesAzure HorizonDBAzure Stack EdgeCopilot Chat (Microsoft Edge)Function Discovery Service (fdwsd.dll)GitHub Copilot and Visual Studio CodeHTTP/2Linux MANA DriverM365 CopilotMicrosoft Azure Attestation service and Device Health Attestation ServiceMicrosoft Azure Kubernetes ServiceMicrosoft BingMicrosoft CopilotMicrosoft Defender for EndpointMicrosoft Dynamics 365 (on-premises)Microsoft Exchange OnlineMicrosoft Exchange ServerMicrosoft GraphMicrosoft Graphics ComponentMicrosoft KinectMicrosoft Live Share Canvas SDKMicrosoft OfficeMicrosoft Office Click-To-RunMicrosoft Office ExcelMicrosoft Office ProjectMicrosoft Office SharePointMicrosoft Office WordMicrosoft PC ManagerMicrosoft PowerToysMicrosoft Teams for AndroidMicrosoft UxTheme Library (uxtheme.dll)Microsoft Windows DNSNuance PowerScribeOffice for AndroidRemote Desktop ClientRole: Windows Hyper-VUI Automation Manager (uiamanager.dll)Universal Plug and Play (upnp.dll)Visual Studio CodeWindows Administrator ProtectionWindows Ancillary Function Driver for WinSockWindows Application Identity (AppID) SubsystemWindows BitLockerWindows Bluetooth Port DriverWindows Bluetooth ServiceWindows Boot ManagerWindows Collaborative Translation FrameworkWindows Common Log File System DriverWindows Cryptographic ServicesWindows DHCP ClientWindows DHCP ServerWindows DWM Core LibraryWindows Deployment ServicesWindows HTTP.sysWindows Hotpatch Monitoring ServiceWindows Hyper-VWindows Internet (wininet.dll)Windows KerberosWindows KernelWindows Kernel-Mode DriversWindows Mark of the Web (MOTW)Windows MediaWindows NT OS KernelWindows NTFSWindows Narrator BrailleWindows Network Controller (NC) Host AgentWindows Performance MonitorWindows Program Compatibility Assistant ServiceWindows Projected File System Filter DriverWindows Push NotificationsWindows RDPWindows SDKWindows Secure BootWindows ShellWindows StorageWindows TCP/IPWindows Telephony ServiceWindows UEFIWindows Universal Disk Format File System Driver (UDFS)Windows Win32K – GRFXWinlogonElevation of Privilege (EoP) vulnerabilities accounted for 31.8% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 27.3%.ImportantCVE-2026-50507 | Windows BitLocker Security Feature Bypass VulnerabilityCVE-2026-50507 is a security feature bypass vulnerability affecting Windows BitLocker. It received a CVSSv3 score of 6.8 and is rated as important. It was publicly disclosed prior to a patch being available and assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index.According to Microsoft, an attacker with physical access to the system could bypass the BitLocker Device Encryption feature in order to gain access to the device’s encrypted data. This vulnerability appears to be the flaw known as Bitskrieg and a collaboration between Chaotic Eclipse (Nightmare Eclipse) and Jonas L.ImportantCVE-2026-49160 | HTTP.sys Denial of Service VulnerabilityCVE-2026-49160 is a denial of service (DoS) vulnerability affecting HTTP.sys. It received a CVSSv3 score of 7.5 and is rated as important. It was assessed as “Exploitation More Likely” and publicly disclosed prior to a patch being available. According to the advisory, this DoS affects HTTP/2. The advisory notes that this update adds a MaxHeadersCount registry setting which can be used to limit the number of headers included in HTTP/2 and HTTP/3 requests.Dubbed HTTP/2 Bomb by researchers at Calif, which is credited by Microsoft for reporting the DoS, their blog describes the technical details and provides a proof-of-concept which can be used to test web servers against this vulnerability. As noted in the blog post, at the time it was released, Microsoft had not yet released patches.ImportantCVE-2026-45586 | Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege VulnerabilityCVE-2026-45586 is an EoP vulnerability affecting Windows Collaborative Translation Framework (CTFMON), a process that supports voice and handwriting recognition. It was assigned a CVSSv3 score of 7.8 and rated as important. This EoP flaw was one of three zero-days disclosed prior to patches being made available. Successful exploitation would grant an attacker SYSTEM privileges and Microsoft has assessed this vulnerability as “Exploitation More Likely.”CriticalCVE-2026-42909, CVE-2026-42913, CVE-2026-42985, CVE-2026-42992, CVE-2026-42993, CVE-2026-44799, CVE-2026-44801, CVE-2026-47289, CVE-2026-47653, CVE-2026-47654 and CVE-2026-48563 | Remote Desktop Client Remote Code Execution VulnerabilityCVE-2026-42909, CVE-2026-42913, CVE-2026-42985, CVE-2026-42992, CVE-2026-42993, CVE-2026-44799, CVE-2026-44801, CVE-2026-47289, CVE-2026-47653, CVE-2026-47654 and CVE-2026-48563 are RCE vulnerabilities affecting Remote Desktop Client. CVSSv3 scores ranged from 8.8 (CVE-2026-42985, CVE-2026-47289 and CVE-2026-47653) to 7.5 and seven were rated as critical while CVE-2026-42993, CVE-2026-42909, CVE-2026-47653 and CVE-2026-42913 were rated as important. Successful exploitation would require a victim to connect to an attacker controlled server using an affected version of the Remote Desktop Client. This action could trigger a heap-based buffer overflow, resulting in remote code execution.While no public details have been released about these vulnerabilities as of June 9, Microsoft has assessed CVE-2026-42985 as “Exploitation More Likely” while the other CVEs were classified as either “Exploitation Unlikely” or “Exploitation Less Likely.” Patches are available for supported versions of Windows and Windows Server.Out Of Band UpdatesWhile these updates were released prior to the Patch Tuesday release on June 9, they were outside the window for the May release and are noted here as they are significant.ImportantCVE-2026-41091 | Microsoft Defender Elevation of Privilege VulnerabilityCVE-2026-41091 is an EoP vulnerability in Microsoft Defender. It received a CVSSv3 score of 7.8 and is rated important. An unprivileged attacker could exploit this vulnerability by writing a specially crafted file to a privileged location. Successful exploitation would result in Microsoft Defender writing the file back to the privileged location, gaining privileges as SYSTEM.According to reports, CVE-2026-41091 is RedSun, a zero-day vulnerability disclosed by a researcher named Chaotic Eclipse or Nightmare Eclipse on April 15, 2026. This researcher has also published several additional zero-days recently, including BlueHammer (CVE-2026-33825), GreenPlasma, MiniPlasma and collaborated on Bitskrieg (CVE-2026-50507). It has since been exploited in the wild and added to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (CISA KEV) catalog on May 20.ImportantCVE-2026-45585 | Windows BitLocker Security Feature Bypass VulnerabilityCVE-2026-45585 is a security feature bypass vulnerability affecting Windows BitLocker. It received a CVSSv3 score of 6.8 and is rated as important. This vulnerability is known as YellowKey, named by the researcher known as Chaotic Eclipse or Nightmare Eclipse.A proof-of-concept (PoC) was made public on May 13, prompting Microsoft to publish the original advisory and CVE identifier on May 19th, offering mitigation guidance.Exploitation does require physical access to the device, however Microsoft has assessed this vulnerability as “Exploitation More Likely.”Tenable SolutionsA list of all the plugins released for Microsoft’s June 2026 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.Get more informationMicrosoft’s June 2026 Security UpdatesTenable plugins for Microsoft June 2026 Patch Tuesday Security UpdatesJoin Tenable’s Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
- Oracle May 2026 Critical Security Patch Update Addresses 35 CVEsby Research Special Operations on May 28, 2026 at 11:06 pm
Oracle addresses 35 CVEs in its May 2026 Critical Security Patch Update with 35 patches, including 11 critical updates.Key TakeawaysThe May 2026 Critical Security Patch Update (CSPU) contains fixes for 35 unique CVEs in 35 security updates11 issues (31.4% of all patches) were assigned a critical severity ratingOracle E-Business Suite received the highest number of patches at 12, accounting for 34.3% of all patchesBackgroundOn May 28, Oracle released its Critical Security Patch Update (CSPU) for May 2026. Beginning in May 2026, Oracle introduced CSPUs as a monthly release cycle that sits between the larger quarterly Critical Patch Updates (CPUs), addressing a focused set of high-severity issues on a faster cadence. This CSPU contains fixes for 35 unique CVEs in 35 security updates across 5 Oracle product families. Out of the 35 security updates published, 31.4% of patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 51.4%, followed by critical severity patches at 31.4%.This month’s update includes 11 critical patches across 11 CVEs.SeverityIssues PatchedCVEsCritical1111High1818Medium66Low00Total3535AnalysisThis month’s update saw the Oracle E-Business Suite product family contain the highest number of patches at 12, accounting for 34.3% of the total patches, followed by Oracle REST Data Services at 11 patches, which accounted for 31.4% of the total patches.A full breakdown of the patches for this CSPU can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.Oracle Product FamilyNumber of PatchesRemote Exploit without AuthOracle E-Business Suite123Oracle REST Data Services117Oracle Communications84Oracle Database Server33Oracle Hospitality Applications11SolutionCustomers are advised to apply all relevant patches in this CSPU. Please refer to the May 2026 advisory for full details.Identifying affected systemsA list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.Get more informationOracle Critical Security Patch Update Advisory – May 2026Oracle May 2026 Critical Security Patch Update Risk MatricesOracle Advisory to CVE MapJoin Tenable’s Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
- Mini Shai-Hulud: Frequently asked questions about the TeamPCP npm and PyPI supply chain campaignby Research Special Operations on May 21, 2026 at 11:28 am
A self-propagating worm has compromised more than 170 npm and PyPI packages, defeating provenance attestation and breaching OpenAI and Mistral AI. Here is what you need to know.Key takeawaysMini Shai-Hulud is a self-propagating worm by TeamPCP that steals developer and cloud credentials across the npm and PyPI ecosystems.The campaign achieved a critical security first by compromising packages with valid SLSA Build Level 3 provenance attestations, proving that process integrity controls can be defeated.Any system that installed a compromised package must be treated as fully compromised.BackgroundBetween September 2025 and May 2026, a threat group tracked as TeamPCP has conducted a series of coordinated supply chain attacks across the npm and PyPI package ecosystems. The campaign, which the group calls Shai-Hulud, uses a self-propagating worm that steals developer and cloud credentials, then leverages those credentials to publish poisoned versions of additional packages. Each compromised continuous integration and continuous deployment (CI/CD) pipeline becomes a new distribution vector, enabling exponential spread. The current iteration is known as Mini Shai-Hulud.Tenable’s Research Special Operations Team (RSO) has compiled this FAQ to discuss what Mini Shai-Hulud is, how the campaign operates, who has been affected and what organizations should do to protect their software supply chains.FAQWhat is Mini Shai-Hulud?Mini Shai-Hulud is a multi-wave supply chain attack campaign that targets the npm and PyPI open-source package registries. The name, chosen by the threat group TeamPCP, is a reference to the sandworms in Frank Herbert’s “Dune” novels, and the campaign carries a consistent Dune-universe theme throughout its infrastructure (dead-drop repository branch names, marker strings and operational messaging all draw from the Dune lexicon).What is the difference between Shai-Hulud and Mini Shai-Hulud?Shai-Hulud is the worm family. Mini Shai-Hulud is the current generation of that worm and the name TeamPCP uses for the active campaign.When did these campaigns start?The original Shai-Hulud worm appeared in September 2025 as the first self-replicating malware observed in the npm ecosystem. It could steal maintainer tokens and use them to publish poisoned versions of other packages without further attacker input.A second generation, sometimes called SHA1-Hulud, surfaced in November 2025 with updated wiper functionality and improved credential harvesting.A third variant designated SANDWORM_MODE, introduced adaptive targeting that allowed the worm to enumerate CI/CD pipeline structures before deciding how to propagate. Each generation directly addressed detection and takedown techniques applied to its predecessor, suggesting the operators monitored defensive responses and adapted accordingly.Mini Shai-Hulud is the fourth generation, active since late April 2026. The “Mini” is TeamPCP’s own ironic branding; in practice, this variant is far more destructive than the original. Its distinguishing capabilities include:SLSA Build Level 3 provenance attestation forgery (allowing malicious packages to pass cryptographic verification)OIDC token extraction directly from GitHub Actions runner process memoryPersistence hooks targeting AI coding agents and developer IDEsCross-ecosystem propagation spanning both npm and PyPI,Triple-redundant credential exfiltration through a dedicated command-and-control serverIterationNameFirst ObservationFirstShai-HuludSeptember 2025SecondSHA1-HuludNovember 2025ThirdSANDWORM_MODEMarch 2026FourthMini Shai-HuludApril 2026 What are the vulnerabilities associated with Mini Shai-Hulud?The TanStack compromise has been assigned a single CVE:CVEDescriptionCVSSv3VPRCVE-2026-45321Malicious code injection in 42 @tanstack packages via three chained GitHub Actions9.69.2*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on May 21, 2026 and reflects VPR at that time. What is CVE-2026-45321CVE-2026-45321 describes a chained exploitation of three weaknesses in TanStack’s GitHub Actions CI/CD configuration. The attacker created a fork of the TanStack/router repository under a renamed account to avoid detection, then opened a pull request that triggered a pull_request_target workflow. This workflow executed code from the attacker’s fork in the base repository’s trusted context, allowing the attacker to poison the GitHub Actions cache with malicious binaries. When legitimate maintainer pull requests were later merged, the release workflow restored the poisoned cache. Attacker-controlled code then extracted OpenID Connect (OIDC) tokens directly from the runner’s process memory and exchanged them with npm’s federation endpoint for full publish credentials.The result was 84 malicious package versions published across 42 TanStack packages in under six minutes, all carrying valid SLSA Build Level 3 provenance attestations from Sigstore.Are there other CVEs associated with Mini Shai-Hulud?At present, only CVE-2026-45321 has been assigned. It applies specifically to the TanStack wave of the campaign. The broader Mini Shai-Hulud campaign exploits CI/CD trust relationships and stolen credentials rather than traditional software vulnerabilities.Which threat actors are behind this campaign?Multiple independent security firms attribute the campaign to TeamPCP, a financially motivated cybercriminal group that emerged in late 2025. Google’s Threat Intelligence Group tracks the group as UNC6780. Other tracked aliases include DeadCatx3, PCPcat, ShellForce, and CipherForce, according to Snyk and Palo Alto Networks Unit 42.TeamPCP is assessed as responsible for several prior high-profile supply chain compromises, including the Aqua Security Trivy scanner compromise (March 2026), the Bitwarden CLI npm compromise (April 2026), the Checkmarx Jenkins AST Plugin backdoor (May 2026) and GitHub (May 2026). Unit 42 has documented TeamPCP’s announced partnership with the Vect ransomware group, suggesting the credential harvesting pipeline may serve as an initial access pathway for ransomware deployment.What organizations have been affected?At least four organizations have publicly confirmed breaches linked to the campaign:OpenAI disclosed on May 15 that two employee devices in its corporate environment were compromised after ingesting a malicious TanStack package. Limited credential material was exfiltrated from internal source code repositories, including code-signing certificates for macOS, Windows, iOS, and Android applications. OpenAI is rotating those certificates and requiring all macOS users to update their applications before June 12, 2026. The company stated it found no evidence that customer data, production systems, or intellectual property were compromised.Mistral AI confirmed that a codebase management system was compromised and SDK packages were contaminated. Non-core code repositories were accessed. On May 17, a TeamPCP-linked forum account claimed to be selling alleged Mistral AI repositories.The European Commission (europa.eu) was reportedly affected by the earlier Trivy wave in March 2026, with over 90 gigabytes of data exfiltrated according to ReversingLabs reporting.GitHub disclosed on May 19 that they were investigating claims made by TeamPCP after the group posted GitHub source code for sale. Shortly after, they confirmed that roughly 3,800 internal repositories were breached. The root cause was a trojanized Visual Studio Code extension that had been installed by an employee. That extension was later revealed to be Nx Console, in which a malicious copy of the extension was available for around 18 minutes on the Visual Studio Marketplace. According to the Nx Console security advisory, the root cause was a developer’s account that had been compromised via theTanstack supply-chain compromise. The leaked credentials were then abused to run workflows on the Nx Console GitHub repository.Beyond named victims, the campaign has compromised over 170 packages spanning both npm and PyPI with more than 518 million cumulative weekly downloads. OX Security data shows that at least 400 GitHub repositories of stolen credentials were created as part of the campaign.How does the worm spread?The campaign’s core mechanism is a self-propagating worm. When a developer or CI/CD runner installs a compromised package, the malware executes during installation and harvests credentials stored on the system, including npm tokens, GitHub personal access tokens, AWS credentials, Kubernetes secrets, SSH keys and HashiCorp Vault tokens. The worm then uses those harvested credentials to publish poisoned versions of other packages the victim has access to, creating a chain reaction that spreads across the ecosystem without requiring further action from the attacker.Mini Shai-Hulud employs three distinct attack chains depending on the access conditions available:Token theft and automated mass-publish is the most common method. The attacker compromises an npm maintainer account or token through prior credential harvesting, then runs an automated script that publishes trojanized versions of every package accessible to the compromised account. The trojanized packages include a preinstall hook that downloads the Bun JavaScript runtime and executes a large, obfuscated credential-stealing payload before the dependency installation completes.OIDC hijack with provenance defeat was used in the TanStack wave and represents the most technically sophisticated variant. Instead of stealing a stored credential, the attacker extracted a short-lived OIDC token from the runner’s process memory, allowing publication through the project’s own trusted pipeline with valid cryptographic attestation.PyPI injection targets Python packages through compromised maintainer accounts. A dropper injected into the package’s initialization file downloads a separate malicious payload from attacker-controlled infrastructure.All three chains converge on the same post-exploitation behavior: credentials are exfiltrated through three redundant channels (a dedicated command-and-control server, the decentralized Session messenger network and GitHub API dead drops), and the harvested tokens are used to propagate the worm to additional packages.Why is the SLSA provenance defeat significant?SLSA (Supply-chain Levels for Software Artifacts) is a framework for verifying that software was built from a trusted source through a trusted process. Build Level 3, the highest practical level, requires cryptographic provenance generated by the build system itself, verified through Sigstore. Running npm audit signatures on a Level 3-attested package should confirm that the package was built exactly as the maintainer intended.The Mini Shai-Hulud TanStack wave demonstrated that provenance attestation can verify that the build pipeline is legitimate without verifying that the code being built is safe. Because the attacker hijacked the legitimate pipeline itself (rather than publishing from an unauthorized account), the resulting packages carried valid attestations. Organizations that relied on provenance verification as a primary supply chain security control were unable to detect the compromise.This finding has implications beyond this specific campaign. Any security control that verifies process integrity without independently verifying code integrity is vulnerable to the same class of attack. Provenance remains valuable but is no longer sufficient as a standalone trust signal for open-source packages. When malicious code can bypass cryptographic build verification, code scanning cannot live in a vacuum; it must be continuously validated alongside identity entitlements and runtime posture.What about the open-sourced code and copycat attacks?On May 12, 2026, TeamPCP published the Shai-Hulud worm source code on GitHub under an MIT License with the message: “Shai-Hulud: Open Sourcing The Carnage.” The release included operational guidance encouraging users to customize encryption keys and infrastructure for their own campaigns. TeamPCP simultaneously announced a $1,000 contest on BreachForums for the largest supply chain attack using the code.OX Security detected four malicious npm packages from separate threat actors deploying Shai-Hulud clones in May 2026, including chalk-tempalte (a typosquat of the popular Chalk library), @deadcode09284814/axios-util, axois-utils, and color-style-utils. These copycat packages use the open-sourced worm code with modified command-and-control infrastructure and credential exfiltration targets.A rival worm called PCPJack has also been observed actively evicting TeamPCP infections while stealing credentials independently, adding further complexity to the threat landscape.Is CVE-2026-45321 in the CISA Known Exploited Vulnerabilities (KEV) catalog?As of May 20, 2026, CVE-2026-45321 is not listed in the CISA KEV catalog. NHS England issued a security alert related to the campaign, but no public advisory from CISA has been published.What should organizations do?Scan your dependency trees immediately. Check lockfiles and CI logs for any affected package versions across the @tanstack, @uipath, @mistralai, @opensearch-project, @antv, and @squawk namespaces. Community-maintained detection scripts can assist, though organizations should verify third-party scanning tools before deployment.Check for persistence before revoking tokens. The worm installs a gh-token-monitor daemon (via systemd on Linux or launchctl on macOS) that polls GitHub every 60 seconds and triggers a recursive file deletion if it detects that the token has been revoked. Search for and remove this daemon, as well as injected tasks in.vscode/tasks.json and Claude Code hooks in ~/.claude/settings.json, before rotating credentials.Rotate all credentials on potentially affected systems. If exposure is suspected, rotate GitHub tokens, npm tokens, AWS credentials, HashiCorp Vault tokens, Kubernetes service accounts, Docker credentials, and CI/CD secrets. Treat any system that installed a compromised package version as fully compromised.Harden CI/CD pipeline configurations. Replace pull_request_target workflows with pull_request for any workflow that executes code from pull requests. Pin all GitHub Actions and workflow steps to immutable commit SHAs rather than tags or branches. Implement cache isolation between fork-originated and maintainer-originated workflows. Restrict secret access to named workflow steps using the GitHub Actions permissions key.Implement structural dependency controls. Deploy –ignore-scripts as the default for npm installs with explicit allowlisting for trusted lifecycle hooks. Pin all dependencies to exact versions and enforce lockfile integrity verification in CI. Consider implementing minimumReleaseAge policies to delay automatic installation of newly published versions.Audit for credential storage on developer machines. The payload targets more than 80 environment variables and filesystem paths, including.aws/credentials, .npmrc, .ssh/ directories, .kube/config, and .docker/config.json. Transition from long-lived filesystem credentials to short-lived tokens and ephemeral CI/CD environments wherever possible.Monitor for campaign indicators. Watch for network connections to 83.142.209[.]194, DNS queries to getsession[.]org endpoints from CI runners, and GitHub repository creation matching Dune-themed naming patterns. Organizations with Software Composition Analysis tools should ensure their rulesets include the campaign’s known payload hashes and behavioral indicators.Has Tenable released any product coverage for these vulnerabilities?Yes, Tenable customers can use Tenable One Exposure Management Platform to assess their exposure surface related to Mini Shai-Hulud. Tenable One provides visibility into software dependencies and CI/CD pipeline configurations, enabling organizations to identify potentially compromised packages within their environments and prioritize remediation based on their specific exposure context.Tenable One Cloud Exposure Management provides immediate inventory and prioritization coverage across five dimensions:Continuous package inventory across every cloud workload allowing you to scan container images, VMs, and registry artifacts to maintain a live software bill of materials (SBOM). The moment indicators of compromise (IOCs) publish, Tenable identifies every asset pulling the compromised versions.Reachability and exploitability context. This is where Tenable One Cloud Exposure Management separates from list-based software composition analysis (SCA), determining whether the compromised package is actually loaded at runtime, whether the workload is internet-exposed and whether the malicious code path executes on import.Pipeline-to-cloud lineage. Tenable One Cloud Exposure Management traces compromised packages back through CI/CD to the build artifacts they produced, through runtime. Tenable also provides runtime reachability analysis with eBPF scanning and AI-powered Threat Stories, adding yet another actionable layer of threat discovery and response.Asset-criticality prioritization. Tenable ranks findings by business context, identity blast radius via cloud infrastructure entitlement management (CIEM), and data sensitivity via data security posture management (DSPM) so response teams work the highest-risk assets first.Unified findings inside Tenable One. SCA hits don’t sit in isolation. They land alongside CSPM misconfigurations, identity exposures, and runtime signals from CDR, correlated by Hexa AI into a single prioritized exposure. The SCA finding joins to the IAM role that pipeline assumes, the secrets it can access and the data those secrets unlock.Additionally, a list of Tenable plugins for CVE-2026-45321 can be found on the individual CVE page as they’re released. Coverage for the original Shai-Hulud variants can be found in plugin ID 265897.These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.Get more informationStepSecurity: Mini Shai-Hulud is BackWiz: Mini Shai-Hulud Strikes AgainSnyk: TanStack npm Packages Hit by Mini Shai-HuludAkamai: Mini Shai-Hulud: The Worm Returns and Goes PublicOpenAI: Our Response to the TanStack npm Supply Chain AttackReversingLabs: Shai-Hulud Code DropTanStack PostmortemOX Security: New Actors Deploy Shai-Hulud ClonesJoin Tenable’s Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
- CVE-2026-9082: Highly Critical SQL Injection Vulnerability in Drupal Core (SA-CORE-2026-004)by Satnam Narang on May 21, 2026 at 9:25 am
A highly critical SQL injection vulnerability in Drupal core’s database abstraction layer affects sites running PostgreSQL.Change logUpdate May 27: The blog has been updated to include reports of observed exploitation attempts.Click here to review the change log historyUpdate May 27: The blog has been updated to include reports of observed exploitation attempts.Key TakeawaysCVE-2026-9082 is a highly critical SQL injection vulnerability in Drupal core’s database abstraction API that can be exploited by unauthenticated attackers on sites using PostgreSQL.No exploitation has been observed in the wild, but a detection PoC was published on the same day as the advisory and the patch diff was shared publicly within hours.Patches are available across six supported Drupal branches, including two exceptional releases for end-of-life versions.BackgroundOn May 20, Drupal published a security advisory (SA-CORE-2026-004) for a highly critical SQL injection vulnerability in Drupal core:CVEDescriptionCVSSv3CVE-2026-9082Drupal Core SQL Injection Vulnerability6.5The advisory was preceded by a public service announcement (PSA-2026-05-18) on May 18, which warned administrators to prepare for a highly critical release and cautioned that exploitation could occur “within hours or days” of disclosure.Drupal rates this vulnerability 20 out of 25 on its own risk scoring scale (“Highly Critical”), noting that the confidentiality impact includes “all non-public data accessible” and the integrity impact is “all data modifiable or deletable.” NVD assigned a CVSSv3 score of 6.5, rating the confidentiality and integrity impacts as Low. Given the vendor’s own characterization of impact and the unauthenticated attack vector, the Drupal risk rating better reflects the potential severity for affected configurations.AnalysisCVE-2026-9082 is an SQL injection vulnerability in Drupal core’s database abstraction API, specifically in the PostgreSQL EntityQuery condition handler. An unauthenticated, remote attacker can exploit this vulnerability by sending specially crafted requests to a vulnerable Drupal site running on PostgreSQL. Successful exploitation could lead to information disclosure, data modification or deletion, and in some configurations, privilege escalation or remote code execution.User-controlled PHP array keys could reach SQL placeholder construction unsanitized. Drupal fixed this by applying ‘array_values()’ which strips attacker-supplied keys and replaces them with numeric indexes.Scope: PostgreSQL onlyThis vulnerability only affects Drupal sites using PostgreSQL as their database backend. Sites running MySQL, MariaDB, or SQLite are not affected. The vulnerable code resides in Drupal’s PostgreSQL EntityQuery condition handler, which is only invoked on PostgreSQL configurations.No exploitation observedAt the time this blog post was published on May 21, Drupal’s advisory describes the exploit status as “Theoretical,” and no in-the-wild exploitation has been reported.Historical exploitation of Drupal CoreDrupal core has a well-documented history of critical vulnerabilities that attracted rapid mass exploitation. CISA’s Known Exploited Vulnerabilities (KEV) catalog contains four Drupal entries, two of which have confirmed ransomware use. The Drupalgeddon vulnerabilities (CVE-2018-7600 and CVE-2018-7602) in particular became a case study in how quickly attackers weaponize Drupal flaws once details are available.CVEDescriptionDate AddedTenable BlogsCVE-2018-7600Drupal Core Remote Code Execution (Drupalgeddon 2)2021-11-03Critical Drupal Core Vulnerability: What You Need to KnowCVE-2018-7602Drupal Core Remote Code Execution (Drupalgeddon 3)2022-04-13Drupalgeddon Attacks Continue on Sites Missing Security UpdatesCVE-2019-6340Drupal Core Arbitrary PHP Code Execution2022-03-25Highly Critical Drupal Security Advisory ReleasedCVE-2020-13671Drupal Core File Extension Sanitization2022-01-18–Proof of conceptOn the same day as the security release, a detection PoC and reproduction lab was published. The patch diff was also shared on social media within hours of the release.The minimal complexity of this patch, combined with the availability of AI-powered code analysis tools that can analyze diffs and assist in exploit development, compresses the timeline between patch release and weaponization. Historically, Drupal vulnerabilities of this severity have seen exploitation within hours to days of disclosure. Administrators running PostgreSQL-backed Drupal sites face a shortening window to apply patches before exploitation attempts begin.Update: On May 22, Drupal updated its advisory for CVE-2026-9082 to increase its risk score because “exploit attempts are now being detected in the wild” while CISA added CVE-2026-9082 to the KEV.SolutionDrupal has released fixed versions across all currently supported branches, as well as exceptional releases for two end-of-life branches due to the severity of this vulnerability:Affected VersionsFixed VersionDrupal 11.3.0 – 11.3.911.3.10Drupal 11.2.0 – 11.2.1111.2.12Drupal 11.0.0 – 11.1.911.1.10 (EOL, exceptional release)Drupal 10.6.0 – 10.6.810.6.9Drupal 10.5.0 – 10.5.910.5.10Drupal 10.4.0 – 10.4.910.4.10 (EOL, exceptional release)Sites running Drupal 8.9 or 9.5 have reached end-of-life and will not receive packaged updates. However, Drupal has published hotfix files for sites running 9.5.11 or 8.9.20. Sites on Drupal 7 are not affected.Sites using Drupal Steward are protected against known attack vectors for this vulnerability.According to the security advisory, these releases also include coordinated upstream security updates for Symfony and Twig. These include separate vulnerabilities from CVE-2026-9082, but Drupal core is affected by some of them. Even sites not running PostgreSQL benefit from updating to these releases.Identifying affected systemsA list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2026-9082 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Drupal by using the following query: CMS contains Drupal. Get more informationDrupal Security Advisory SA-CORE-2026-004Drupal PSA-2026-05-18: Pre-release announcementJoin Tenable’s Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
- Key findings from the Verizon DBIR 2026: Slower vulnerability remediation meets faster exploitationby Scott Caveza on May 19, 2026 at 9:17 am
The 2026 Verizon Data Breach Investigations Report (DBIR) reveals a troubling trend: vulnerability exploitation has surged to become the number one initial access vector while remediation rates have worsened.Key takeawaysVulnerability exploitation has surged to become the leading initial access vector for breaches, accounting for 31% of data breaches during the study period.Security teams’ patching efforts are falling further behind, with the median time-to-patch growing by 11 days in the past year.As AI-powered tools increase the speed and volume of vulnerability discovery and vulnerability exploitation, exposure management helps organizations keep up by continually assessing their attack surfaces, prioritizing risks, and orchestrating automated remediation of security weaknesses.What is the Verizon DBIR reportVerizon’s annual Data Breach Investigations Report (DBIR) has helped organizations understand evolving cyber threats since its first release in 2008. For the 2026 edition, Tenable Research once again contributed enriched data on vulnerability exploitation and vulnerability remediation trends. This year’s findings paint a stark picture: Compared with last year, organizations are facing a significant increase in the volume of “must-patch” vulnerabilities from the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog.The widening gap between vulnerability disclosure and remediation represents one of the most pressing challenges in cybersecurity today. Security teams are already overwhelmed, both by the rising number of vulnerabilities and the lack of time for patch management. This reality underscores the critical need for comprehensive exposure management, a strategic, AI-driven approach to preemptive security designed to help organizations reduce cyber risk by continually assessing their attack surfaces, prioritizing risks, and orchestrating automated remediation of security weaknesses.Verizon DBIR 2026 overview and analysisThe 2026 Verizon DBIR found that vulnerability exploitation is the top initial access vector, accounting for 31% of data breaches during the study period. Even more concerning is that the median time-to-patch has increased from 32 days to 43 days, a 34% increase. This year’s findings paint a stark picture: The number of vulnerabilities continues to snowball, as organizations’ patching rates continue to fall behind.The CVE explosion continues — and AI will accelerate itThe vulnerability landscape continues to see explosive growth as the CVE program currently reports more than 351,000 registered CVEs with more than 21,500 already reserved in 2026. As we’re on the path for another record number of CVEs, this flood of vulnerabilities creates an extremely difficult situation for security teams already stretched thin. With median time-to-patch increasing and exploitation timelines shrinking, attackers are winning the race between disclosure and remediation.The situation may be poised to worsen dramatically. The cybersecurity community is increasingly concerned about AI-powered vulnerability discovery tools like Anthropic’s Claude Mythos, which can automatically identify security flaws in codebases at unprecedented speed and scale. While such tools hold promise for defensive security teams, they also represent a potential inflection point: if AI can discover vulnerabilities faster than organizations can patch them, the already immense patch burden could become truly unmanageable.This AI-driven acceleration comes at the worst possible time. Organizations are already struggling to remediate vulnerabilities, with the Verizon data breach investigations report finding that organizations successfully remediate only 26% of KEV vulnerabilities. Adding to this concern, the DBIR points out that there has been a nearly 50% increase in the number of CISA KEV vulnerabilities to patch in 2025, putting even more pressure on security teams.If AI models begin flooding the CVE database with newly discovered vulnerabilities, or worse, if attackers leverage these models to find and exploit zero-days before defenders can respond, the current remediation crisis is likely to escalate into a systemic failure of the traditional patch-based defense model.The exposure management imperativeWhile vulnerability exploitation dominates headlines as the number one initial access vector, it represents only a slice of the exposure problem. The DBIR notably highlights credential abuse as another significant threat vector, underscoring that vulnerabilities don’t exist in isolation. Stolen credentials can transform a moderate-severity vulnerability into a critical breach pathway, while exposed configurations can provide attackers with the access needed to exploit unpatched systems.This interconnected nature of exposures highlights why more and more organizations are adopting comprehensive exposure management. Understanding and addressing the full attack surface, including identity risks, misconfigurations, excessive permissions, and vulnerable assets, is essential to reducing breach risk in today’s threat landscape.The emergence of AI-powered vulnerability discovery makes exposure management absolutely essential. As AI tools accelerate vulnerability identification, organizations cannot simply try to patch more vulnerabilities faster. Instead, they must focus on understanding and remediating the vulnerabilities that matter most in the context of their specific environment. A newly discovered vulnerability on an isolated system with no credentials exposed and strong access controls poses far less risk than an older CVE on an internet-facing asset with weak authentication. The Tenable One Exposure Management Platform provides both the contextual framework needed to make these critical prioritization decisions and the agentic orchestration engine required to accelerate remediation in an era of AI-accelerated vulnerability discovery.Notable data insights from the DBIR reporting periodAs Tenable Research examined the trends in the data, our team decided to distill the CVEs into product categories and compare which categories saw the largest percentage of unremediated assets. For our analysis, we focused on KEV CVEs as these are vulnerabilities known to have been exploited and in attackers’ crosshairs.As you can see in the figure below, vulnerabilities affecting development tools saw the highest rate of unremediated assets, followed by virtualization/hypervisor flaws and remote monitoring and management (RMM) flaws. While the remediation process across these product categories can vary, the overall trend of nearly all of the product categories having an above 50% unremediated rate demonstrates that organizations are still struggling with vulnerability remediation.Similarly, we looked at the average number of days that assets remained unremediated while comparing that to the number of CVEs affecting that category during the DBIR reporting period.Tenable analysis of the data reinforces the stark reality highlighted in the Verizon DBIR: Organizations are taking longer to patch known and exploited vulnerabilities while facing a rapid increase in the number of vulnerabilities that require immediate attention.DBIR findingsThe 2026 DBIR findings are sobering but not surprising to those on the front lines of cybersecurity. The data confirms what many security teams experience daily: The patch burden is growing faster than organizations’ ability to respond. With vulnerability exploitation now the top initial access vector and median time-to-patch continuing to climb, the gap between attacker speed and defender response continues to widen.Organizations must adopt an exposure-centric approach that considers not just the presence of vulnerabilities, but the full risk context of their environment:Which assets are exposed?Who has access?Which credentials are compromised?Which exposure combinations create the most dangerous attack paths?In an era where AI is discovering vulnerabilities faster than humans can patch them, understanding which exposures truly matter represents the only sustainable path forward.The 2026 DBIR, enriched with Tenable Research’s data, provides valuable insights into today’s threat landscape. Tenable encourages security professionals to read the full Verizon DBIR to understand current attack trends and use these findings to inform their exposure management strategies. The crisis documented in this report signals that the traditional vulnerability-centric model needs a fundamental evolution toward comprehensive, AI-driven exposure management.Identifying affected systemsTenable provides comprehensive detection coverage for CISA’s KEV catalog, with detection capabilities deployed rapidly following vulnerability disclosure. This coverage spans diverse asset categories, enabling comprehensive visibility into actively exploited vulnerabilities across your environments. CVEs on the KEV catalog will have a tag on the individual CVE pages, and you can browse our upcoming plugins on our Plugins Pipeline page.Get more informationVerizon 2026 Data Breach Investigations Report (DBIR)Join Tenable’s Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
- Frequently asked questions about the continued exploitation of Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20182)by Research Special Operations on May 14, 2026 at 9:05 pm
Multiple critical authentication bypass vulnerabilities in Cisco Catalyst SD-WAN Controller and Manager are under active exploitation by multiple threat clusters, including CVE-2026-20182, which has been exploited as a zero-day by a sophisticated threat actor.Key TakeawaysCVE-2026-20182 is a critical (CVSSv3 10.0) authentication bypass in Cisco Catalyst SD-WAN Controller and Manager disclosed on May 14 with confirmed active exploitation.A sophisticated threat actor designated UAT-8616 has exploited Cisco SD-WAN vulnerabilities since at least 2023, and 10 additional threat clusters began exploitation of multiple vulnerabilities in SD-WAN after public proof-of-concept code became available.Patches are available for all supported Cisco Catalyst SD-WAN releases and CISA has mandated remediation by May 17 under Emergency Directive 26-03.BackgroundTenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding the ongoing exploitation of multiple vulnerabilities in Cisco Catalyst SD-WAN Controller and Manager.FAQWhen were these Cisco SD-WAN vulnerabilities first disclosed?On February 25, 2026, Cisco published an advisory for CVE-2026-20127, a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager that was already being exploited in the wild at the time of disclosure. Alongside that advisory, Cisco also released patches for three additional vulnerabilities in SD-WAN Manager: CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122. The security advisory for these CVEs (cisco-sa-sdwan-authbp-qwCX8D4v) was updated in March to confirm exploitation of CVE-2026-20128 and CVE-2026-20122 and then again in April to confirm that CVE-2026-20133 had also been exploited.On May 14, 2026, Cisco published a new advisory (cisco-sa-sdwan-rpa2-v69WY2SW) for CVE-2026-20182, a separate critical authentication bypass vulnerability that was discovered during the investigation into the earlier exploitation. This vulnerability is also under active exploitation.What are the vulnerabilities associated with the Cisco SD-WAN exploitation?There are five CVEs associated with this ongoing campaign, plus one older vulnerability used for post-compromise privilege escalation:CVEDescriptionCVSSv3Cisco AdvisoryCVE-2026-20182Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability10.0cisco-sa-sdwan-rpa2-v69WY2SWCVE-2026-20127Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability10.0cisco-sa-sdwan-rpa-EHchtZkCVE-2026-20133Cisco Catalyst SD-WAN Manager Information Disclosure Vulnerability7.5cisco-sa-sdwan-authbp-qwCX8D4vCVE-2026-20128Cisco Catalyst SD-WAN Manager Credential Access Vulnerability7.5cisco-sa-sdwan-authbp-qwCX8D4vCVE-2026-20122Cisco Catalyst SD-WAN Manager Arbitrary File Overwrite Vulnerability5.4cisco-sa-sdwan-authbp-qwCX8D4vCVE-2022-20775Cisco SD-WAN CLI Path Traversal Privilege Escalation Vulnerability7.8cisco-sa-sd-wan-priv-E6e8tEdFBoth CVE-2026-20182 and CVE-2026-20127 are critical-severity flaws that enable remote, unauthenticated access to administrative functions due to broken peering authentication logic. CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122, when chained together, allow a remote unauthenticated attacker to gain access to the SD-WAN Manager.What products are affected?The following table lists the CVEs and affected devices. None of these vulnerabilities require specific device configurations to be exploitable, and all deployment models are affected:CVEAffected Device(s)CVE-2026-20182Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN ManagerCVE-2026-20127Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN ManagerCVE-2026-20133Cisco Catalyst SD-WAN ManagerCVE-2026-20128Cisco Catalyst SD-WAN ManagerCVE-2026-20122Cisco Catalyst SD-WAN ManagerCVE-2022-20775Cisco SD-WAN Software:- SD-WAN vBond Orchestrator Software- SD-WAN vEdge Cloud Routers- SD-WAN vEdge Routers- SD-WAN vManage Software- SD-WAN vSmart Controller SoftwareHow severe is the exploitation?Successful exploitation of CVE-2026-20182 or CVE-2026-20127 provides access to a privileged (but non-root) internal account on the SD-WAN Controller. That access opens NETCONF, giving the attacker the ability to alter network configuration across the entire SD-WAN fabric. In observed attacks, the threat actor UAT-8616 then leveraged CVE-2022-20775 via a software version downgrade technique to escalate privileges to root.Post-compromise activities observed by Cisco Talos include SSH key injection, NETCONF configuration manipulation, malicious account creation, and extensive log clearing to cover tracks.Who is UAT-8616?UAT-8616 is a designation assigned by Cisco Talos to a “highly sophisticated cyber threat actor” that has been exploiting Cisco SD-WAN infrastructure since at least 2023. According to Cisco Talos, UAT-8616 targets critical infrastructure sectors and its infrastructure overlaps with monitored Operational Relay Box (ORB) networks.UAT-8616 exploits CVE-2026-20182 and CVE-2026-20127 for initial access, then, in the case of CVE-2026-20127 exploitation, performs software version downgrades to expose CVE-2022-20775 for root privilege escalation. After achieving root access, the actor restores the original software version to conceal the exploitation path. Additional persistence techniques include injecting SSH keys into authorized_keys files, enabling PermitRootLogin in the SSH daemon configuration, and clearing forensic evidence from syslog, wtmp, lastlog, bash_history and cli-history files.Are there other threat actors exploiting these vulnerabilities?Yes. Cisco Talos has identified 10 additional threat clusters that are distinct from UAT-8616. These clusters have been exploiting the CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 chain since early March 2026, following the publication of proof-of-concept code by ZeroZenX Labs. The tools deployed by these clusters range from webshells (Godzilla, Behinder, XenShell) and red team frameworks (AdaptixC2, Sliver) to cryptocurrency miners (XMRig) and credential stealers targeting admin hashes, JWT tokens and AWS credentials.Are proofs-of-concept (PoCs) available?Yes. ZeroZenX Labs published proof-of-concept code for the CVE-2026-20133, CVE-2026-20128, CVE-2026-20122 exploit chain in March 2026. This PoC release directly correlated with the surge in exploitation activity across multiple threat clusters. The availability of public PoC code highlights the risk to any exposed SD-WAN infrastructure that remains unpatched.What actions has CISA taken?CISA has taken multiple actions in response to the Cisco SD-WAN exploitation campaign:February 25, 2026: Added CVE-2026-20127 and CVE-2022-20775 to the Known Exploited Vulnerabilities (KEV) catalogApril 20, 2026: Added CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 to the KEV catalogMay 14, 2026: Added CVE-2026-20182 to the KEV catalog with an action deadline of May 17, 2026May 14, 2026: Issued Emergency Directive 26-03 and published Hunt & Hardening Guidance for Cisco SD-WAN DevicesAll five CVEs in this campaign are now in CISA’s KEV catalog.Are patches available?Cisco has released patches for each of the vulnerabilities discussed in this blog. We recommend reviewing the security advisories issued by Cisco for each CVE to identify the patch release and any considerations that may apply in order to apply the patches successfully.Are there indicators of compromise (IoC)?Cisco has published detailed IoC information across its advisories and Talos blog posts. The indicators include:Log evidence: Check /var/log/auth.log for “Accepted publickey for vmanage-admin” entries from unknown or unauthorized IP addressesControl connection anomalies: Run show control connections detail or show control connections-history detail and look for connections with state:up and challenge-ack: 0, which may indicate unauthorized peeringPost-compromise artifacts: Unauthorized SSH keys in /home/vmanage-admin/.ssh/authorized_keys/, PermitRootLogin enabled in /etc/ssh/sshd_config, unexplained software downgrades followed by rebootsFull IoC lists including C2 server IPs, malware file hashes, and attacker source IPs are available in the Cisco Talos blog.Has Tenable Research classified these vulnerabilities as part of Vulnerability Watch?Yes. CVE-2026-20182, CVE-2026-20127, CVE-2026-20128, and CVE-2026-20122 have been classified as Vulnerabilities of Interest under Vulnerability Watch due to confirmed active exploitation and the availability of public proof-of-concept code. Tenable has been tracking this cluster of vulnerabilities since the original disclosure in February 2026, with watches re-established as exploitation escalated in March and again in May 2026 when CVE-2026-20182 was disclosed.Has Tenable released product coverage?A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2026-20182, CVE-2026-20127, CVE-2026-20133, CVE-2026-20128, CVE-2026-20122, and CVE-2022-20775. These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Cisco Catalyst SD-WAN devices by using the following query: Document Title contains Cisco Catalyst SD-WAN.Get more informationCisco Security Advisory: cisco-sa-sdwan-rpa2-v69WY2SWCisco Talos: SD-WAN Ongoing ExploitationCisco Talos: UAT-8616 SD-WAN CampaignTenable blog: CVE-2026-20127: Cisco Catalyst SD-WAN Controller/Manager Zero-Day Authentication Bypass Vulnerability Exploited in the WildJoin Tenable’s Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
















