// Articles
389 articles — page 2 of 17
HTTP.sys CVE-2026-47291: Quantifying Wormable Risk Across the Windows Server Estate
Three days after the June Patch Tuesday, CVE-2026-47291 in HTTP.sys remains unpatched on a significant proportion of enterprise Windows Server infrastructure. This article maps the attack surface — which services expose HTTP.sys, how the worm propagation would function, and what network controls reduce the blast radius while patching is in progress.
SAP Landscape Security Assessment: Managing NetWeaver Vulnerabilities Across Enterprise ERP Environments
CVE-2026-44748 (CVSS 9.9) in SAP NetWeaver ABAP is the second critical SAP vulnerability of 2026 affecting SAML authentication. Enterprise organisations running complex SAP landscapes with multiple NetWeaver instances face challenges in identifying which systems are affected, prioritising patching across landscape tiers, and assessing whether compromise indicators are present.
Why Ransomware Groups Target Veeam First: Backup Infrastructure as the Strategic Priority
CVE-2026-44963 in Veeam Backup & Replication is the third critical Veeam RCE vulnerability in three years, each exploited by ransomware operators to neutralise backup infrastructure before deploying encryption payloads. This article examines why backup systems have become the primary strategic target in ransomware operations and what structural security controls reduce exposure.
Hardening Active Directory Against CVE-2026-47288 and the Kerberos Attack Surface
CVE-2026-47288 in the Windows Kerberos KDC is the most critical Active Directory vulnerability of 2026. Beyond patching, the Kerberos attack surface encompasses golden ticket attacks, AS-REP roasting, Kerberoasting, and credential relay. This article provides post-patch hardening guidance for enterprise AD environments.
Gentlemen Ransomware Claims 478 Victims in 66 Countries as Worm-Like Lateral Movement Capability Confirmed
New analysis of the Gentlemen ransomware operation reveals the group has compromised 478 organisations across 66 countries, significantly exceeding initial healthcare-focused estimates. Researchers have confirmed the ransomware includes a worm module that leverages SMB vulnerabilities and credential reuse to spread autonomously across enterprise networks without human operator intervention.
Enterprise Guide: Prioritising the June 2026 Patch Tuesday Across 198 CVEs
Security teams face 198 CVEs from Microsoft's June 2026 Patch Tuesday plus concurrent advisories from SAP, Ivanti, Palo Alto, and CISA. This guide provides a decision framework for prioritising remediation across different infrastructure tiers — from internet-facing servers to workstations — with specific guidance for each of the highest-risk vulnerabilities.
CVE-2026-23111 Detection and Hardening Guide: Protecting Linux Environments from the nf_tables Exploit
With public proof-of-concept code available for CVE-2026-23111, security teams running Linux across production, containerised, and cloud environments need specific detection and hardening guidance. This guide covers kernel patch availability by distribution, interim mitigations, eBPF-based detection, and Kubernetes-specific containment measures.
Windows Server Fleet Patching After June Patch Tuesday: Managing Velocity and Risk in Large Environments
After the largest Microsoft Patch Tuesday of 2026, enterprise teams face the challenge of patching Windows Server fleets at emergency speed while avoiding the outages that come with untested updates. This article addresses patch deployment sequencing, testing compression strategies, and rollback planning for the June 2026 emergency patch cycle.
Ivanti Sentry CVE-2026-10520: CVSS 10.0 Pre-Authentication RCE Exploited After PoC Release
Ivanti has disclosed CVE-2026-10520, a CVSS 10.0 pre-authentication remote code execution vulnerability in Ivanti Sentry (formerly MobileIron Sentry) that is being actively exploited following public proof-of-concept release. A companion OS command injection flaw CVE-2026-10523 (CVSS 9.4) affects the same platform. Both require immediate action for all organisations running Ivanti Sentry in their mobile device management infrastructure.
Langflow CVE-2026-5027 Exploitation Accelerates: AI Workflow Builder's Path Traversal RCE Under Active Attack
Exploitation of CVE-2026-5027 in Langflow, the AI workflow builder, has intensified following public PoC release. The path traversal remote code execution vulnerability, added to CISA's KEV on 8 June, is being used to deploy credential stealers and post-exploitation agents against organisations running unsecured Langflow instances. Upgrade to Langflow 1.3.5 immediately.
Palo Alto Networks Patches PAN-OS Command Injection CVE-2026-0273 Across All Active Branches
Palo Alto Networks has patched CVE-2026-0273, a command injection vulnerability in the PAN-OS web management interface that allows authenticated administrators to execute arbitrary OS commands on the firewall. The vulnerability affects PAN-OS versions 10.1 through 11.2 and all active GlobalProtect gateway configurations. Updates are available across all supported branches.
Veeam Backup & Replication CVE-2026-44963 (CVSS 9.4): Domain Users Can Execute Remote Code on Backup Infrastructure
Veeam has patched CVE-2026-44963, a CVSS 9.4 remote code execution vulnerability in Veeam Backup & Replication that allows any domain user to execute arbitrary code on the Veeam backup server. The vulnerability exploits insufficient authorisation in the Veeam Backup Service API. Organisations using Veeam in Active Directory environments should apply the patch immediately.
June Patch Tuesday Zero-Days: BitLocker Bypass CVE-2026-50507 and CTFMON Privilege Escalation CVE-2026-45586
Two of June 2026's six publicly disclosed zero-days target security boundaries rather than remote execution: CVE-2026-50507 bypasses BitLocker pre-boot authentication on stolen devices, and CVE-2026-45586 enables local privilege escalation through the Windows Text Services Framework. Both carry named researcher disclosures and appear in active post-exploitation toolkits.
Three CVSS 9.8 Windows Flaws Demand Emergency Action: Kernel RCE, Wormable HTTP.sys, and DHCP Client
CVE-2026-45657 (Windows Kernel), CVE-2026-47291 (HTTP.sys), and CVE-2026-44815 (DHCP Client) each carry CVSS 9.8 and enable unauthenticated remote code execution. All three were publicly disclosed before Microsoft's June patch, giving attackers a head start. This article provides technical detail and remediation guidance for each flaw.
Google Chrome Zero-Day CVE-2026-11645: V8 Out-of-Bounds Write Actively Exploited Before Patch
Google has released Chrome 149.0.7762.95 patching CVE-2026-11645, an out-of-bounds write in the V8 JavaScript engine that was actively exploited before disclosure. CISA has added the flaw to the Known Exploited Vulnerabilities catalogue. All users and enterprise deployments should update immediately — CISA's federal deadline is 30 June.
CISA Adds Chrome V8 Zero-Day, Cisco SD-WAN, and Arista EOS to Known Exploited Vulnerabilities Catalogue
CISA added three vulnerabilities to the KEV catalogue on 9 June: Google Chrome CVE-2026-11645 (V8 out-of-bounds write, actively exploited), Cisco SD-WAN CVE-2026-20245 (authentication bypass), and Arista EOS CVE-2026-7473 (privilege escalation command injection). Federal agencies face a 30 June remediation deadline across all three.
Linux Kernel CVE-2026-23111: nf_tables Use-After-Free Enables Container Escape and Root Privilege Escalation
A use-after-free vulnerability in the Linux kernel's nf_tables netfilter subsystem allows unprivileged users to escalate to root and break container isolation. Public proof-of-concept code published 9 June makes this an immediate remediation priority across all major Linux distributions running kernel versions 5.15 through 6.10.
Microsoft June 2026 Patch Tuesday: 198 CVEs and Six Zero-Days Including Wormable CVSS 9.8 HTTP.sys Flaw
Microsoft's June 2026 Patch Tuesday addresses 198 vulnerabilities across Windows, Office, Azure, and server components — including three CVSS 9.8 critical remote code execution flaws and six publicly disclosed zero-days. HTTP.sys CVE-2026-47291 is wormable, requiring no authentication or user interaction against any Windows Server with IIS or HTTP API exposed.
SAP June 2026 Security Patch Day: CVSS 9.9 SAML Authentication Bypass CVE-2026-44748 in NetWeaver ABAP
SAP's June 2026 Security Patch Day includes CVE-2026-44748, a CVSS 9.9 authentication bypass in SAP NetWeaver Application Server ABAP that allows unauthenticated remote attackers to forge SAML assertions and impersonate any user including system administrators. Twenty-one additional CVEs were patched, including three rated Critical.
Windows Kerberos KDC Remote Code Execution CVE-2026-47288 Puts Domain Controllers at Critical Risk
CVE-2026-47288 is a critical remote code execution vulnerability in the Windows Kerberos Key Distribution Centre that allows network-adjacent unauthenticated attackers to execute arbitrary code on Active Directory domain controllers. All supported Windows Server versions are affected. Domain controllers should be treated as the highest-priority patch target in the June 2026 update cycle.
CVE-2026-50751: Check Point Security Gateway Authentication Bypass Actively Exploited in Ransomware Campaigns
CISA added CVE-2026-50751 to the Known Exploited Vulnerabilities catalogue on 8 June with a three-day remediation deadline and confirmed ransomware campaign use. The vulnerability is a CVSS 9.3 authentication bypass in Check Point Security Gateway's IKEv1 VPN protocol handling that allows unauthenticated attackers to bypass remote access VPN authentication entirely. An emergency hotfix is available.
CVE-2026-42271: BerriAI LiteLLM Command Injection Reaches CISA KEV — AI Infrastructure Under Attack
CISA added CVE-2026-42271 in BerriAI LiteLLM to the Known Exploited Vulnerabilities catalogue on 8 June, confirming active exploitation of a command injection vulnerability that allows API keys with limited privileges to execute arbitrary commands on the LiteLLM host. Organisations running LiteLLM as an AI gateway should update to v1.83.7-stable immediately.
Meta Files Contempt Motion Against NSO Group Over WhatsApp Spear-Phishing Attack on Journalists
Meta has filed a federal contempt motion against NSO Group alleging the Israeli spyware vendor violated a 2021 court order by deploying new WhatsApp-based spear-phishing infrastructure targeting journalists and human rights defenders. The case highlights the persistent challenge of enforcement against commercial spyware vendors whose products operate outside regulatory frameworks.
UNC3753: Vishing Calls Combined With Physical Office Intrusions in U.S. Data Theft Extortion Campaign
Threat group UNC3753 has been documented combining voice phishing (vishing) with physical office intrusions to conduct data theft and extortion against U.S. organisations. The group uses vishing to gather employee credentials and facility access information, then deploys operatives physically to compromise targets. The hybrid TTPs represent a significant escalation in social engineering attack sophistication.