Vulnerabilities News

The Central Board of Secondary Education (CBSE) has intensified its response to concerns about an OSM vulnerability by engaging cybersecurity specialists from IIT Madras, IIT Kanpur, and several government agencies to conduct a detailed security assessment of its On-Screen Marking (OSM) platform. The portal, introduced in 2026 for the evaluation of the Class 12 board exam, has come under scrutiny following allegations from security researchers and ethical hackers about multiple weaknesses in the system.  In an official statement shared on X on May 31, 2026, CBSE acknowledged the issue and confirmed that remedial measures were already underway. The board stated, “The identified vulnerabilities have been contained, and other exploitable weaknesses are being ruled out.”  The announcement is a notable development in the controversy surrounding the OSM platform. While CBSE had previously maintained that the system was secure, the latest statement confirms that vulnerabilities did exist and required immediate attention from cybersecurity experts.  Decoding the OSM Vulnerability  The controversy emerged after security researchers and ethical hackers highlighted several alleged flaws in the OSM platform used for the Class 12 board exam evaluation process. According to the concerns raised, the vulnerabilities could have exposed sensitive examination-related data and administrative controls.  Among the issues reported were:  A hardcoded master password allegedly embedded within publicly accessible source code, potentially enabling unauthorized access.  One-time passwords (OTPs) are reportedly visible through web browsers without requiring authentication.  The ability to reset evaluator passwords without proper authorization.  Potential access to or modification of student marks stored within the system.  An Amazon Web Services (AWS) cloud storage bucket allegedly contains scanned 2026 examination records that could be accessed publicly without login credentials.  Ethical hacker Nisarga Adhikary further alleged that scanned answer sheets and question papers stored within the AWS repository could be viewed and downloaded without authentication. These allegations intensified concerns regarding the scale and potential impact of the reported OSM vulnerability.  CBSE Deploys Expert Teams for Security Audit  As part of its response, CBSE has assembled a specialized team comprising experts from IIT Madras, IIT Kanpur, and the Digital Infrastructure Corporation of India. The objective is to perform a comprehensive audit of the platform and identify any remaining vulnerabilities.  According to the board, the security teams have been working on the matter for several days. CBSE stated that all known vulnerabilities have been contained and that the platform is currently being migrated to a more secure environment as part of a broader strengthening exercise.  The board has also initiated direct communication with some of the security researchers who reported the issues.  CBSE’s Security Measures at a Glance  As part of its response to the reported OSM vulnerability, CBSE has deployed a specialized team comprising experts from IIT Madras, IIT Kanpur, and the Digital Infrastructure Corporation of India. The board said these cybersecurity teams have been working on the matter for several days to assess the system and strengthen its security framework.  According to CBSE, the known vulnerabilities identified in the OSM portal have been contained. The board also stated that the platform is currently being migrated to a more secure environment as part of its broader effort to enhance protection against potential cyber threats.  CBSE has engaged directly with some of the security researchers and ethical hackers who brought the issues to light. The board has also invited additional inputs from researchers and cybersecurity professionals, requesting that any relevant information or findings be shared with its security team via email at secy-cbse@nic.in.  Board Invites Further Input from Researchers  CBSE publicly acknowledged the role played by ethical hackers and security researchers in identifying weaknesses within the platform.  In its statement, the board said:  “We are grateful to all alert citizens and ethical hackers pointing out such weaknesses and have gotten in touch with some of them directly.”  The board further added:  “We request any others to reach out to our security teams at secy-cbse@nic.in for any further inputs.”  CBSE reiterated that the identified OSM vulnerability issues have been contained while a wider security review remains ongoing.  Post-Result Services Begin Despite Security Concerns  Despite the ongoing scrutiny surrounding the OSM platform, CBSE proceeded with the launch of its Class 12 post-result services on June 1, 2026, as previously scheduled.  Students who appeared for the Class 12 board exam can now access post-result services through the official portal and apply for:  Scanned copies of answer books  Verification of marks  Re-evaluation requests  CBSE stated that the portal underwent security hardening measures before becoming operational on June 1. The controversy has also expanded beyond cybersecurity concerns. Student Sarthak Sidhant had earlier raised questions regarding the procurement and tendering process associated with the OSM system, adding another layer to the ongoing debate. 

A critical vulnerability in the WP Maps Pro WordPress plugin allowed unauthenticated attackers to create administrator accounts and potentially perform a complete site takeover on affected websites.  The issue impacted all WP Maps Pro versions up to 6.1.0. The plugin had more than 15,000 sales at the time the vulnerability was disclosed.  The vulnerability was submitted to the Wordfence Bug Bounty Program on March 24, 2026. Security researcher David Brown discovered and responsibly reported the flaw, earning a $1,950 bounty.  Wordfence stated that attackers could exploit a vulnerable AJAX action to create administrator accounts without authentication.  How the WP Maps Pro WordPress Plugin Vulnerability Worked  The WP Maps Pro WordPress plugin included a temporary access feature designed for support staff troubleshooting. The issue existed in the wpgmp_temp_access_ajax_callback() function, which handled the plugin’s AJAX action.  The function relied on a nonce check using fc-call-nonce:  function wpgmp_temp_access_ajax_callback(){    check_ajax_referer( ‘fc-call-nonce’, ‘nonce’ );    $temp_access = new WPGMP_Temp_Access();    $response = $temp_access->wpgmp_temp_access_support();    wp_send_json($response);    exit(); }   Researchers found that the nonce was publicly exposed through frontend pages using wp_localize_script. Because the AJAX action was also registered with wp_ajax_nopriv_, unauthenticated users could access the endpoint. The vulnerable version did not include a capability check to verify administrator privileges.  Administrator Account Creation  After triggering the AJAX action with check_temp=false, the plugin executed the wpgmp_temp_access_support() function.  The function created a new WordPress administrator account using:  A randomly generated username beginning with fc_user_  The hardcoded email address support@flippercode.com  The administrator role  The plugin then generated a login URL tied to the new account.  According to the technical analysis, visiting the generated URL triggered wp_set_auth_cookie(), authenticating the attacker without requiring a password.  Wordfence stated that attackers could then:  Install malicious plugins  Modify themes  Inject backdoors  Deploy webshells  Steal site data  The vulnerability could result in full site takeover.  Patch Released in Version 6.1.1  The vendor fixed the issue by adding a capability check to the vulnerable AJAX action:  if ( ! current_user_can( ‘manage_options’ ) ) {    wp_send_json_error( array( ‘error’ => ‘Unauthorized’ ), 403 );    exit(); }  The patch restricted the endpoint to authenticated administrators only. The fully patched WP Maps Pro version 6.1.1 was released on May 20, 2026.  Wordfence Timeline  March 24, 2026 — Wordfence received the vulnerability report.  May 16, 2026 — Researchers validated the exploit and escalated the issue to the Envato security team after failing to locate direct vendor contact information.  May 18, 2026 — Wordfence Premium, Care, and Response users received firewall protection.  May 20, 2026 — WP Maps Pro 6.1.1 was released.  June 17, 2026 — Free Wordfence users were scheduled to receive the same firewall protection.  Wordfence urged users to update the WordPress plugin immediately to prevent exploitation and reduce the risk of site takeover. 

The developers behind Notepad++ have released version 8.9.6.1 to address multiple security vulnerabilities, including critical flaws that could expose users to remote code execution (RCE) attacks under certain conditions. The patched vulnerabilities, disclosed on May 26, 2026, include CVE-2026-48770, CVE-2026-48778, and CVE-2026-48800, all affecting Notepad++ versions up to 8.9.6.  The most serious of the patched flaws is CVE-2026-48778, a high-severity vulnerability stemming from improper handling of configuration data in the widely used Windows text editor. Security researchers warned that the flaw could allow attackers to execute arbitrary commands by manipulating application settings files.  CVE-2026-48778: Critical Notepad++ RCE Vulnerability  The vulnerability tracked as CVE-2026-48778 originates from the way Notepad++ processes entries within the config.xml file. Specifically, the issue affects the <GUIConfig name=”commandLineInterpreter”> parameter, which the application reads without applying validation, integrity checks, or allowlist restrictions.  According to the vulnerability details, Notepad++ later uses this parameter when a user selects the “Open Containing Folder in cmd” feature. Because the value is not properly sanitized, an attacker can alter the executable path and force the application to launch unintended programs.  Researchers demonstrated the exploitability of CVE-2026-48778 through a proof-of-concept attack that replaced the expected command prompt behavior with the execution of calc.exe. Triggering the feature caused the Windows Calculator application to open, confirming that arbitrary code execution was possible through malicious configuration manipulation.  The flaw has been classified under CWE-78, which covers OS Command Injection vulnerabilities. Despite requiring user interaction, the vulnerability has drawn concern because of its low attack complexity and lack of privilege requirements, making it a realistic threat in enterprise and personal computing environments.  Multiple Attack Vectors Increase RCE Risk  Although CVE-2026-48778 is not considered a fully automated exploit, researchers noted several practical attack paths that could still make the Notepad++ flaw dangerous in real-world scenarios.  One potential method involves directly modifying the %APPDATA%\Notepad++\config.xml file under the current user context. Attackers may also distribute specially crafted shortcut files that abuse the -settingsDir parameter to redirect the application toward attacker-controlled configuration directories.  Additional attack scenarios include poisoning cloud-synchronized configuration paths supported by Notepad++ or relying on social engineering tactics to convince users to extract malicious archives into AppData directories. These techniques could allow threat actors to weaponize trusted workflows without immediately attracting attention. Because Notepad++ is widely deployed across developer systems, administrative environments, and enterprise workstations, the possibility of RCE exploitation through manipulated configuration files significantly increases the security impact of CVE-2026-48778. CVE-2026-48770 and CVE-2026-48800 Also Patched  In addition to the primary RCE vulnerability, the latest Notepad++ update addresses two other security flaws.  CVE-2026-48770 involves a crash vulnerability triggered by malformed structures. Successful exploitation could lead to denial-of-service conditions that disrupt the normal functioning of the application.  Meanwhile, CVE-2026-48800 is another arbitrary code execution issue associated with improper handling of the shortcuts.xml file. Like CVE-2026-48778, this flaw demonstrates the broader security risks tied to unsafe processing of configuration and shortcut-related data.  The disclosure of CVE-2026-48770 and CVE-2026-48778 highlights the growing attention being placed on configuration-based attack surfaces within desktop applications. Security researchers have repeatedly warned that insufficient validation of locally stored configuration files can create opportunities for privilege abuse and command execution.  Notepad++ Users Urged to Install Security Update  Users and organizations are being advised to upgrade immediately to Notepad++ version 8.9.6.1 to mitigate exposure to CVE-2026-48770, CVE-2026-48778, and CVE-2026-48800.  The updated release improves the way the application handles configuration data and reduces the likelihood of malicious executable paths being processed through internal features.  Security experts also recommend additional defensive measures beyond patching. These include monitoring sensitive configuration files for unauthorized modifications, restricting write permissions to application directories, and validating executable paths wherever possible. 

A critical Ghost CMS vulnerability identified as CVE-2026-26980 has been exploited in a widespread cyber campaign that compromised more than 700 websites, including platforms associated with major institutions such as Harvard University, University of Oxford, and DuckDuckGo. Security researchers say the attacks leveraged weaknesses in the Ghost content management system to inject malicious JavaScript code aimed at facilitating ClickFix malware attacks.  The attacks were detailed by Chinese cybersecurity company QiAnXin and its XLab research team, which warned that threat actors are actively exploiting unpatched Ghost installations in an ongoing “large-scale poisoning” campaign.  CVE-2026-26980 Enabled Unauthorized Access to Ghost CMS Sites  The exploited flaw, tracked as CVE-2026-26980, was disclosed and patched in February 2026 in version 6.19.1 of the Ghost content management system. Ghost is a widely used open-source CMS focused on blogging, digital publishing, newsletters, and memberships. According to its developers, the platform powers more than 100,000 websites globally.  The Ghost CMS vulnerability is an SQL injection flaw affecting Ghost’s Content API. Researchers at SentinelOne previously warned that the vulnerability could allow unauthenticated attackers to extract sensitive data directly from a site’s database. This included authentication tokens, website content, and user credentials.  The flaw received a CVSS severity score of 9.4, highlighting the serious risks posed by CVE-2026-26980. The vulnerability was reportedly discovered by Anthropic using its Claude AI system. What made the Ghost CMS vulnerability especially dangerous was its ability to expose a site’s Admin API Key. Once attackers obtained this key, they could abuse Ghost’s Admin API to directly modify published articles and inject malicious code into legitimate websites without authorization. Hundreds of Websites Infected  According to QiAnXin XLab, attackers began exploiting CVE-2026-26980 shortly after the security patch became publicly available. Investigators noted that a DLL file involved in the campaign carried a compilation timestamp dated February 16, 2026 — the same day the patch for the Ghost CMS vulnerability was announced. The malicious activity was first detected on May 7, 2026, and by early May, researchers had already identified hundreds of compromised websites running the Ghost content management system. More than 700 websites across various industries were eventually found to be affected. The victims included organizations operating in sectors such as artificial intelligence, software development, blockchain, cybersecurity, fintech, media, SaaS, and higher education. Researchers found that nearly half of the compromised websites were personal blogs or independently operated sites. However, many others belonged to major institutions and technology-focused organizations.  QiAnXin stated that many victims were notified about the compromises, but the majority reportedly failed to respond to the alerts.  “At least two groups are currently actively conducting such poisoning operations, and some sites have even become the target of competition between the two parties, with different malicious code being implanted one after another within a single day,” the researchers said.  Malicious JavaScript Injected Into Ghost CMS Articles  The attackers used the Ghost CMS vulnerability to tamper with website articles by appending malicious JavaScript loaders to the bottom of pages. These loaders were designed to support ClickFix attacks — a growing social engineering tactic that tricks users into manually executing malware on their systems.  The injected code acted as a two-stage loader that retrieved additional payloads at runtime from an external domain identified as “clo4shara[.]xyz/11z77u3.php.” Researchers said the infrastructure gave attackers flexibility to swap payloads while maintaining the same loader framework across multiple compromised Ghost CMS sites.  QiAnXin explained that the PHP script functioned as a traffic distribution and cloaking system powered by Adspect, a commercial cloaking service. The script gathered browser fingerprinting data from visitors and selectively redirected targets based on predefined rules.  “Directly accessing clo4shara[.]xyz/11z77u3.php reveals a piece of code, which is actually a typical traffic distribution script,” XLab researchers explained. “Its core function is to collect various fingerprint information from the user’s browser and upload it to the server, then perform actions such as redirection, popups, and downloads based on the returned instructions.”  The cloaking mechanism helped attackers avoid detection by ensuring that only intended victims received malicious payloads, while automated scanners and crawlers were shown harmless web content instead. 

A large-scale software supply chain attack dubbed “Megalodon” has compromised more than 5,500 repositories on GitHub, raising fresh concerns about the growing abuse of automated development pipelines and GitHub Actions workflows. The incident, uncovered by SafeDep, involved thousands of malicious commits that injected credential-stealing payloads into repositories over a short period of time.  According to researchers, the Megalodon campaign targeted repositories through automated commits that inserted malicious GitHub Actions workflows capable of harvesting sensitive credentials, cloud access keys, API tokens, and other secrets stored within continuous integration and continuous delivery (CI/CD) environments.  Thousands of Malicious GitHub Actions Commits Detected Within Hours  The attack unfolded on May 18, 2026, when attackers pushed more than 5,700 malicious commits across thousands of repositories within six hours. SafeDep’s investigation found that a total of 5,718 commits were deployed between approximately 11:36 UTC and 17:48 UTC, affecting 5,561 distinct GitHub repositories.  Researchers said the Megalodon operation relied heavily on GitHub Actions to establish persistence and silently collect sensitive information from infected development environments. The attackers deployed two separate payloads as part of the campaign. One payload introduced a new GitHub Actions workflow configured to run on every push and pull request. The second payload replaced existing workflows tied to specific triggers, effectively creating dormant backdoors that could later be activated remotely.  The malicious commit associated with the infection was reportedly authored by a user identified as “build-bot” and pushed on May 18. During its investigation into the linked email address, the researchers uncovered 2,878 commits made on the same day. Researchers also identified another 2,841 commits tied to a second email address connected to the operation.  Researchers noted that all 5,718 commits tied to the Megalodon campaign landed within the same six-hour timeframe, indicating a highly coordinated and automated attack strategy. The scale and speed of the operation highlighted how threat actors are weaponizing GitHub Actions and software development workflows to distribute malicious code at scale.  Megalodon Malware Targeted CI/CD Secrets and Cloud Credentials  On compromised systems, the malware attempted to exfiltrate a broad range of sensitive data. According to researchers, the stolen information included CI environment variables, AWS credentials, Google Cloud Platform access tokens, Azure credentials, SSH private keys, Docker and Kubernetes configuration files, database connection strings, GitHub Actions tokens, GitLab CI/CD tokens, API keys, and numerous other secrets commonly stored in development pipelines.  Another significant concern raised by researchers involved the attackers’ use of the “workflow_dispatch” feature within GitHub Actions. According to researchers, the malicious workflow leveraged this trigger mechanism to establish dormant backdoors that could later be activated through the GitHub API using stolen GitHub tokens.  Researchers explained that the “workflow_dispatch” mechanism is exempt from GitHub’s anti-recursion protections, which normally prevent workflows from spawning additional workflow runs through GitHub token-triggered events. This loophole potentially allowed attackers to reactivate compromised workflows even after the initial breach.  Searchers Links Megalodon Campaign to Compromised Open-Source Packages  The researchers discovered the Megalodon campaign after identifying malicious versions of the Tiledesk package, an open-source live chat and chatbot platform. The infected packages were reportedly published between May 19 and May 21, shortly after the malicious commits were introduced into the source repositories.  In its analysis, SafeDep stated that the same NPM account, “eljohnny” using the email address giovanni@tiledesk.com, had published both the legitimate version 2.18.5 and the compromised versions of the package. Researchers emphasized that the attacker did not directly compromise the NPM account itself.  “The attacker never touched the NPM account. They compromised the GitHub repository, and the maintainer published from the poisoned source without realizing it,” SafeDep explained.  The Megalodon incident emerged shortly after NPM announced new security measures aimed at limiting similar supply chain attacks. Last week, NPM invalidated all granular access tokens with write permissions that bypassed two-factor authentication protections. The move was intended to reduce the risk of attacks resembling the earlier Mini Shai-Hulud campaign.  However, cybersecurity researchers warned that token protection alone may not fully address the broader issue of repository compromise and malicious code propagation.  Security company Ox Security stated that while stricter token controls may reduce account hijacking risks, they do not solve the underlying problem of compromised repositories distributing malicious code through trusted development ecosystems.  “If platforms continue allowing any type of code to be uploaded without serious vetting, the number of attacks will only increase,” Ox Security noted.  The company also warned that the Megalodon campaign could represent the beginning of a larger wave of attacks targeting developers and open-source ecosystems globally.  “We’ve entered a new supply chain attack era, and TeamPCP compromising GitHub was only the beginning. What’s coming next is an endless wave, a tsunami of cyber attacks on developers worldwide,” the firm said.

The global cybersecurity landscape continues to evolve rapidly as attackers expand their focus on developer ecosystems, public-facing institutions, and anonymization infrastructure. At the same time, regulators and law enforcement agencies are stepping up enforcement efforts around AI misuse and cybercrime-enabling services. This week’s weekly roundup developments highlight how cyber threats are becoming increasingly distributed across platforms and industries, with supply chain compromises, operational disruptions, and policy enforcement actions shaping the broader risk environment. The Cyber Express Weekly Roundup  Austria Blocks Hundreds of Cyberattacks During Eurovision Week in Vienna  Austria successfully prevented nearly 500 cyberattack attempts targeting systems connected to Eurovision operations during the contest week in Vienna. Officials stated that the attacks were intended to disrupt event infrastructure and associated services, but no major operational failures were recorded. Read more…  Massive npm Supply Chain Attack Hits AntV Ecosystem  A large-scale software supply chain compromise has impacted more than 300 npm packages within the AntV ecosystem following the hijacking of a trusted maintainer account. The compromised packages were reportedly modified as part of the “Mini Shai-Hulud” malware campaign, which targeted developer environments and widely used JavaScript libraries. Read more…  Chanhassen Dinner Theatres Cyberattack Disrupts Operations and Ticketing Systems  A cyberattack targeting Chanhassen Dinner Theatres disrupted key operational systems, including ticketing, payment processing, and customer communications, forcing additional cancellations of scheduled performances of “Guys and Dolls.” The disruption comes amid concurrent operational challenges, including an illness outbreak affecting performers and attendees, further complicating recovery efforts. Read more…  FTC Targets AI “Nudify” Platforms Over TAKE IT DOWN Act Violations  The U.S. Federal Trade Commission has issued formal warnings to multiple AI-powered “nudify” platforms over alleged violations of the TAKE IT DOWN Act, which requires rapid removal of nonconsensual intimate content upon valid request. According to regulators, several platforms failed to implement compliant removal workflows, including the mandated 48-hour takedown requirement. Read more…  GitHub Confirms Internal Repository Breach via Malicious VS Code Extension  GitHub has confirmed a security incident in which attackers accessed thousands of internal repositories after compromising an employee’s device through a malicious Visual Studio Code extension. The company stated that there is no evidence of customer repository compromise or enterprise data exposure, and that the incident was contained following detection. Read more…  European Authorities Shut Down VPN Service Used in Ransomware Operations  European law enforcement agencies have seized the infrastructure of a VPN service known as First VPN during “Operation Saffron,” targeting its alleged use in supporting ransomware and cybercriminal operations. Authorities dismantled 33 servers and detained the suspected administrator in Ukraine. Read more…  Weekly Cybersecurity Takeaway  This week’s weekly roundup reflects a cybersecurity landscape defined by ecosystem-level compromise rather than isolated incidents. Supply chain attacks continue to target developer tooling and open-source ecosystems, while AI-related enforcement actions signal growing regulatory pressure around synthetic content abuse.  At the same time, law enforcement actions against anonymization infrastructure demonstrate a stronger focus on disrupting the operational backbone of cybercriminal networks. Taken together, these events highlight a shifting threat environment where compromise of platforms, dependencies, and infrastructure can cascade across multiple industries simultaneously. 

Vulnerability exploitation has officially become the leading cause of cybersecurity breaches for the first time in nearly two decades, according to the latest Data Breach Investigations Report (DBIR) released by Verizon. The findings highlight how artificial intelligence is rapidly reshaping the threat landscape, enabling attackers to weaponize software flaws faster than security teams can respond. The 19th edition of the DBIR revealed that 31% of all recorded breaches now begin with vulnerability exploitation, surpassing stolen credentials as the most common attack entry point. Researchers warned that AI-driven automation is dramatically reducing the time between vulnerability disclosure and active exploitation, shrinking defensive response windows from months to just hours. The report paints a broader picture of an evolving cybersecurity environment where AI-powered attacks, mobile-focused social engineering, shadow AI usage, and supply chain compromises are all expanding organizational risk. Vulnerability Exploitation Surpasses Stolen Credentials For years, stolen usernames and passwords remained the primary method used by cybercriminals to breach corporate systems. However, the latest DBIR findings show a major shift in attacker behavior. Researchers found that threat actors are increasingly prioritizing vulnerability exploitation because AI tools can quickly identify weak systems, automate reconnaissance, and accelerate exploit development. According to the report, attackers are now moving much faster after vulnerabilities become public. Organizations that previously had weeks or months to deploy security patches are now facing exploitation attempts within hours of disclosure. Security experts said this trend is creating significant pressure on security operations teams already struggling to manage patching priorities across complex environments. Daniel Lawson, Senior Vice President of Global Solutions at Verizon Business, said the growing speed of cyberattacks reinforces the importance of strong cybersecurity fundamentals. “While the velocity of cyber threats driven by AI and faster vulnerability exploitation is increasing, the foundational principles of security and strong risk management remain the most effective defense,” Lawson said. AI Reshaping the Cyber Threat Landscape The report repeatedly emphasized the growing influence of artificial intelligence on cybercrime operations. Researchers noted that AI is not only helping defenders identify vulnerabilities more efficiently, but also allowing attackers to automate exploitation at unprecedented scale and speed. The DBIR warned that AI-assisted attack workflows are creating what researchers described as a “capacity crisis” for many security teams. Organizations are being forced to process increasing numbers of vulnerabilities while facing shorter remediation timelines. The report recommended that enterprises: Strengthen patch management programs Reduce overall attack surface exposure Integrate AI into secure-by-design frameworks Expand defense-in-depth strategies Improve visibility into internet-facing assets Researchers also highlighted rapid growth in AI bot activity across the internet. According to the report, AI bot crawler traffic is increasing by 21% month over month, while human-driven traffic growth remains almost flat at just 0.3%. Mobile Social Engineering Attacks Rising Beyond vulnerability exploitation, the DBIR identified major changes in social engineering tactics. As users become more cautious about traditional phishing emails, attackers are increasingly shifting toward mobile-based scams involving text messages and voice calls. The report found that conversational and interactive mobile attacks now achieve success rates roughly 40% higher than traditional email phishing campaigns. Researchers said attackers are leveraging: Fake SMS messages Voice phishing calls Messaging app impersonation Mobile account verification scams Cybersecurity analysts warned that mobile devices continue to represent a major blind spot for many organizations because security monitoring on smartphones often remains less mature than on corporate desktops and servers. Shadow AI Creates New Data Leakage Risks Another major concern highlighted in the DBIR involves the rapid rise of “shadow AI” usage inside organizations. The term refers to employees using unapproved artificial intelligence tools without formal oversight from security or compliance teams. According to Verizon’s findings, frequent use of AI platforms by employees surged from 15% to 45% within a single year. Researchers said shadow AI has now become the third most common cause of non-malicious data leakage incidents. Security experts warned that employees may unknowingly expose: Confidential corporate data Customer information Source code Internal business documents Sensitive communications The report stressed that organizations need clearer governance policies around AI usage as adoption continues accelerating across workplaces. Supply Chain Breaches Continue to Grow The DBIR also documented a significant rise in third-party and supply chain compromises. Researchers found that breaches involving external vendors increased by 60% compared to previous reporting periods. Third-party involvement now accounts for 48% of all recorded breaches. As organizations rely more heavily on cloud providers, software vendors, and outsourced services, attackers are increasingly targeting weaker links within interconnected supply chains. The report concluded that the cybersecurity industry is entering a period where resilience, rapid response capabilities, and basic security hygiene remain critical despite rapid advances in AI-powered attack techniques. While artificial intelligence is changing the speed and scale of cyber threats, researchers stressed that organizations must continue focusing on foundational cybersecurity practices to defend against the growing wave of vulnerability exploitation and AI-driven attacks.

Microsoft has confirmed active exploitation of two security vulnerabilities in its security ecosystem, identified as CVE-2026-41091 and CVE-2026-45498, both evaluated under the CVSS scoring system. The issues affect Microsoft Defender and have raised concerns due to confirmed in-the-wild exploitation and potential impact on enterprise systems.  The first issue, CVE-2026-41091 (CVSS 7.8), is a privilege escalation vulnerability affecting Microsoft Defender. If successfully exploited, it could allow a local attacker to obtain SYSTEM-level privileges. The flaw is rooted in improper link resolution before file access, commonly described as a “link following” issue.  Microsoft stated in its advisory:  “Improper link resolution before file access (‘link following’) in Microsoft Defender allows an authorized attacker to elevate privileges locally,”  The second vulnerability, CVE-2026-45498 (CVSS 4.0), is a denial-of-service flaw impacting Microsoft Defender. While rated lower in severity under the CVSS framework, it has still been confirmed as actively exploited in real-world environments alongside CVE-2026-41091.  Both vulnerabilities have been addressed in updated releases of the Microsoft Defender Antimalware Platform, specifically versions 1.1.26040.8 and 4.18.26040.7, respectively. CVE-2026-41091, CVE-2026-45498, and CVSS Context  Although Microsoft has not explicitly confirmed the link, the behavior associated with CVE-2026-41091 and CVE-2026-45498 overlaps with earlier publicly discussed issues named RedSun and UnDefend, which were disclosed by the threat research group Chaotic Eclipse (also known as Nightmare-Eclipse).  Security researchers from Huntress have reported active exploitation of both CVE-2026-41091 and CVE-2026-45498 in the wild. These observations also include exploitation activity related to BlueHammer (CVE-2026-33825), suggesting a broader campaign targeting Microsoft Defender components and adjacent security mechanisms.  Additional Security Findings Alongside the two actively exploited vulnerabilities CVE-2026-41091 and CVE-2026-45498, Microsoft also patched another flaw in the same Defender update cycle: CVE-2026-45584 (CVSS 8.1). This vulnerability is a heap-based buffer overflow that could allow remote code execution if exploited. Unlike CVE-2026-41091 and CVE-2026-45498, there is currently no evidence that CVE-2026-45584 has been used in active attacks.  Microsoft Defender systems that have been disabled are not affected by these vulnerabilities, according to the company. Microsoft also noted that no manual intervention is required for most users, as updates are delivered automatically through malware definition updates and the Microsoft Malware Protection Engine.  CVSS Updates and Security Guidance  To verify protection status against CVE-2026-41091 and CVE-2026-45498, Microsoft recommends users check their Microsoft Defender configuration using the Windows Security interface (Microsoft Windows Security). The recommended steps include navigating to Virus & threat protection, checking protection updates, and verifying the Antimalware Client Version. Microsoft credited five researchers for identifying CVE-2026-41091, including Sibusiso, Diffract, Andrew C. Dorman (also known as ACD421), Damir Moldovanov, and an anonymous contributor.  CISA KEV Catalog  The U.S. Cybersecurity and Infrastructure Security Agency (CISA) (Cybersecurity and Infrastructure Security Agency) has added both CVE-2026-41091 and CVE-2026-45498 to its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch (FCEB) agencies are required to apply mitigations by June 3, 2026, reflecting the urgency of addressing CVSS-rated threats that are already being exploited.  With this addition, three Microsoft vulnerabilities have been flagged as actively exploited within a single week, highlighting a concentrated wave of CVE-based attacks targeting Microsoft products.  Legacy Vulnerabilities   CISA’s KEV catalog update also included several older but still relevant vulnerabilities:  CVE-2010-0806: Internet Explorer use-after-free flaw enabling remote code execution   CVE-2010-0249: Another Internet Explorer use-after-free vulnerability allowing arbitrary code execution   CVE-2009-1537: DirectX issue in QuickTime Movie Parser Filter via crafted media files   CVE-2008-4250: Windows Server Service buffer overflow via crafted RPC request   CVE-2009-3459: Adobe Acrobat and Reader heap-based buffer overflow via malicious PDF files   These legacy issues demonstrate that exploitation of older software remains relevant in modern threat landscapes, especially when combined with newer vulnerabilities like CVE-2026-41091 and CVE-2026-45498, both evaluated using CVSS metrics.

Cisco has released security updates to fix a critical vulnerability, tracked as CVE-2026-20223, affecting its Cisco Secure Workload platform. The flaw, which received the maximum CVSS score of 10.0, could allow an unauthenticated remote attacker to access sensitive information and make unauthorized configuration changes through vulnerable REST API endpoints. The company said the issue originates from insufficient validation and authentication checks in internal REST API functions used by Secure Workload. The vulnerability has also been classified under CWE-306, a category associated with missing authentication protections for critical operations. According to Cisco, “an attacker could exploit this vulnerability if they can send a crafted API request to an affected endpoint.” The company added that a successful exploitation of CVE-2026-20223 could allow attackers to “read sensitive information and make configuration changes across tenant boundaries with the privileges of the Site Admin user.” CVE-2026-20223 Impacts Internal Secure Workload REST API Functions  Cisco stated in its advisory that the vulnerability affects internal REST API endpoints within Cisco Secure Workload Cluster Software. The issue impacts both SaaS and on-premises deployments regardless of device configuration.  However, the company clarified that the flaw does not affect the web-based management interface. Instead, the exposure is limited to internal API functions associated with Secure Workload infrastructure.  The advisory, identified as “cisco-sa-csw-pnbsa-g8WEnuy,” was first published on May 20, 2026, at 16:00 GMT. Cisco assigned the flaw a base CVSS score of 10.0 due to the severity of the potential impact and the lack of authentication requirements needed for exploitation. The issue is internally tracked under Cisco Bug ID CSCwt99942.  Cisco explained that the root cause behind CVE-2026-20223 is “insufficient validation and authentication when accessing REST API endpoints.” Because of these missing protections, attackers may be able to bypass authorization boundaries and gain access to site resources with Site Admin-level privileges.  Cisco Warns of Cross-Tenant Data Exposure Risks  The company warned that exploitation of CVE-2026-20223 could allow unauthorized access to sensitive information across tenant environments. Attackers could also modify configurations across tenant boundaries while operating with elevated Site Admin permissions.  The nature of the vulnerability makes it particularly severe in multi-tenant Secure Workload environments where administrative controls and segmentation are critical for protecting customer data.  Cisco also confirmed that there are currently no workarounds available to mitigate the REST API vulnerability. As a result, organizations using affected Secure Workload releases are being advised to install fixed software versions as quickly as possible. The company stated that temporary mitigations are not enough to fully remediate the issue and strongly recommended upgrading to patched releases to avoid future exposure related to CVE-2026-20223.  Fixed Secure Workload Versions for CVE-2026-20223  Cisco released patches for affected Secure Workload versions and outlined the following fixed releases:  Cisco Secure Workload Release 3.10 — fixed in version 3.10.8.3   Cisco Secure Workload Release 4.0 — fixed in version 4.0.3.17   Cisco Secure Workload Release 3.9 and earlier — customers are advised to migrate to a fixed release   The company also noted that the cloud-based Cisco Secure Workload SaaS deployment has already been secured against CVE-2026-20223. Cisco said no user action is required for SaaS customers because the fixes have already been applied to the hosted environment.  Customers requiring additional support were advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers for guidance regarding patch deployment and remediation.  Cisco Says No Active Exploitation Has Been Detected  Despite the maximum severity rating assigned to CVE-2026-20223, Cisco stated that its Product Security Incident Response Team (PSIRT) is “not aware of any public announcements or malicious use of the vulnerability” at the time of disclosure. The company added that the vulnerability was identified during internal security testing rather than through reports of active attacks in the wild. The disclosure highlights the increasing risks associated with insecure REST API implementations in enterprise infrastructure products. Vulnerabilities tied to CWE-306 can become especially dangerous when authentication checks are absent from critical administrative functions. As more organizations rely on APIs to manage workloads, automate infrastructure, and support cloud-native environments, flaws like CVE-2026-20223 demonstrate how authentication weaknesses in Secure Workload platforms can expose sensitive systems and tenant data to unauthorized access.  Cisco published version 1.0 of the advisory as a final release on May 20, 2026, and has not indicated whether additional revisions related to the Secure Workload REST API vulnerability are expected. 

A critical local privilege escalation vulnerability chain tracked as CVE-2026–5140 has exposed serious security weaknesses in Pardus Linux. Researchers revealed that the flaws allow any unprivileged local user to gain full root access without authentication, potentially leading to complete system compromise within seconds.  The vulnerability affects the pardus-update package, which handles system updates through graphical tools and privileged Python helper scripts. The issue received a CVSS v3.1 score of 9.3, classifying it as “Critical.” The published vector is:  CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H  Maintained by TÜBİTAK, Pardus Linux is widely used across Turkish government institutions, schools, and enterprise environments. Researchers stated that the attack chain behind CVE-2026–5140 combines three separate vulnerabilities: a Polkit authorization bypass, a CRLF injection flaw, and an untrusted search path issue.  Polkit Misconfiguration Opens the Door  The first issue was identified in the file:  /usr/share/polkit-1/actions/tr.org.pardus.pkexec.pardus-update.policy  Researchers discovered that several privileged actions were configured with unrestricted access permissions:  <defaults>  <allow_any>yes</allow_any>  <allow_inactive>yes</allow_inactive>  <allow_active>yes</allow_active> </defaults>  Because of this configuration, any local user could execute privileged operations through pkexec without entering an administrator password. The vulnerable actions included aptupdateaction, autoaptupgradeaction, and systemsettingswrite.  This allowed attackers to run the following scripts as root:  SystemSettingsWrite.py   AutoAptUpgrade.py   CRLF Injection Enables Configuration Manipulation in Pardus Linux The second flaw in CVE-2026–5140 involved SystemSettingsWrite.py, which writes user-controlled input into the configuration file:  /etc/pardus/pardus-update.conf  Although Python’s ConfigParser sanitizes newline characters (\n), it does not properly filter carriage returns (\r). Attackers could exploit this weakness using the following payload:  123\rcustom_sourcesd_path=/tmp/pwn.list  The injected carriage return caused the parser to interpret the second part as a new configuration entry:  custom_sourcesd_path=/tmp/pwn.list  This gave attackers control over the APT source configuration used by the update system.  Malicious Repository Leads to Root Access  The final stage of CVE-2026–5140 targeted AutoAptUpgrade.py, which copied attacker-controlled .list files directly into /etc/apt/sources.list.d/ without validating the source path.  Researchers demonstrated a proof-of-concept attack by creating a malicious Debian package that modified /bin/bash with the SUID bit through a postinst script:  #!/bin/sh chmod +s /bin/bash exit 0  The exploit was triggered with two commands:  pkexec /usr/share/pardus/pardus-update/src/SystemSettingsWrite.py write \ lastupgrade $’123\rcustom_sourcesd_path=/tmp/pwn.list’  pkexec /usr/share/pardus/pardus-update/src/AutoAptUpgrade.py  After execution, attackers could gain a root shell using:  /bin/bash -p  Researchers confirmed the attack provided full administrative access, including the ability to read sensitive files, install persistent backdoors, overwrite system files, and completely take over vulnerable Pardus Linux systems.  The vulnerability was discovered and documented on March 13, 2026, by Çağrı Eser. Researchers advised administrators to harden Polkit rules immediately, sanitize CRLF characters in user input, and restrict APT source paths to trusted directories to mitigate CVE-2026–5140.