// Articles
389 articles — page 7 of 17
Pwn2Own Berlin 2026 Day 2: DEVCORE Chains Three Bugs for Exchange SYSTEM RCE — 15 Zero-Days and $385K Awarded
The second day of Pwn2Own Berlin saw DEVCORE's Orange Tsai chain three previously unknown vulnerabilities to achieve SYSTEM-level remote code execution on fully patched Microsoft Exchange Server, earning $200,000. Day 2 also featured Red Hat Enterprise Linux LPE, additional Windows 11 privilege escalation, and LM Studio AI exploitation across 15 unique zero-days.
VMware ESXi Cross-Tenant Code Execution Demonstrated at Pwn2Own Berlin — $200K Prize for Single-Bug Hypervisor Escape
STARLabs SG earned $200,000 at Pwn2Own Berlin 2026 for a single vulnerability enabling cross-tenant code execution on VMware ESXi, allowing code running in one virtual machine to execute in a separate guest VM on the same hypervisor host. The bug has not been assigned a CVE and will not be publicly disclosed for up to 90 days.
Microsoft Exchange Server Zero-Day CVE-2026-42897 Actively Exploited in XSS Attacks — OOB Mitigation Available, No Patch Yet
Microsoft disclosed an actively exploited cross-site scripting zero-day in Exchange Server (CVE-2026-42897) that allows attackers to inject malicious scripts into Outlook Web App sessions, hijack authenticated user sessions, and exfiltrate email content. No patch is available. Microsoft deployed an Emergency Exchange Mitigation Service (EEMS) rule as an interim control while a patch is developed.
Microsoft Reverses Course on Edge Plaintext Password Exposure — Update Will Prevent Loading Saved Passwords into Process Memory
Following disclosure on 11 May that Microsoft Edge loads saved passwords as plaintext into process memory at startup, Microsoft confirmed it will release a patch preventing password data from being loaded into memory outside of active use contexts. The fix addresses the specific vulnerability class that allows process memory dumpers to extract Edge-saved credentials without user interaction.
REMUS Infostealer Deep-Dive: Session Token Theft Evolves into MaaS Platform Targeting Browser Credentials and SaaS Sessions
Security researchers published a technical analysis of REMUS, an infostealer-as-a-service platform that has rapidly evolved from simple credential harvesting to session token theft targeting enterprise SaaS applications. REMUS specifically targets Salesforce, Workday, ServiceNow, and Microsoft 365 session cookies to bypass MFA, and has been observed in initial access broker sales followed by ransomware deployments.
TeamPCP Gang Advertising Stolen Mistral AI Source Code Repositories for Sale — Part of Shai-Hulud Supply Chain Campaign
The TeamPCP extortion group is advertising stolen Mistral AI source code repositories on dark web forums, claiming access was obtained as a side effect of the Shai-Hulud npm supply chain campaign targeting AI development infrastructure. The breach potentially exposes Mistral's proprietary model training code, API infrastructure, and internal tooling to competitors and nation-state actors.
Burst Statistics WordPress Plugin Authentication Bypass Actively Exploited for Mass Site Takeovers
Threat actors are actively exploiting an authentication bypass vulnerability in the Burst Statistics WordPress analytics plugin, allowing unauthenticated attackers to gain administrative access to any WordPress site with the plugin installed. Over 100,000 WordPress sites use Burst Statistics. Sites have been observed being defaced, backdoored, and redirected to malicious domains within hours of exploitation.
Cisco Catalyst SD-WAN CVE-2026-20182 CVSS 10.0 Authentication Bypass Exploited as Zero-Day — Attackers Injecting Rogue SD-WAN Devices
Cisco disclosed a CVSS 10.0 authentication bypass in the Catalyst SD-WAN Manager that has been actively exploited as a zero-day, allowing unauthenticated attackers to inject rogue SD-WAN devices into the management plane and intercept or reroute enterprise WAN traffic. The vulnerability has been added to CISA's Known Exploited Vulnerabilities catalogue with a 72-hour patching deadline for federal agencies.
KongTuke Initial Access Broker Pivots to Microsoft Teams Social Engineering — Five-Minute Corporate Compromise via ModeloRAT
Initial access broker KongTuke has updated its tradecraft to use Microsoft Teams as the primary social engineering vector, impersonating IT helpdesk personas to deliver ModeloRAT via Teams file transfers to targeted employees. The group achieves credential theft and establishes persistence within five minutes of initial Teams contact, then sells access to ransomware affiliates within 24 hours.
Linux 'Fragnesia' Kernel Privilege Escalation CVE-2026-46300 — New Dirty Frag Class Bug Exploits XFRM ESP-in-TCP for Unprivileged Root
Security researchers disclosed 'Fragnesia,' a Linux kernel privilege escalation vulnerability (CVE-2026-46300) in the XFRM framework's ESP-in-TCP fragmentation handling. The flaw follows the Dirty Frag class of fragmentation-layer bugs and enables an unprivileged local user to gain root on any affected kernel version. A proof-of-concept exploit is available. Kernel patches are being distributed through Linux distribution channels.
NGINX 18-Year-Old Heap Buffer Overflow CVE-2026-42945 — CVSS 9.2 Flaw Affects All Versions Since 0.6.27 Including Modern API Gateways
A heap buffer overflow in NGINX's chunked transfer encoding handler, present since version 0.6.27 released in 2008, has been assigned CVE-2026-42945 with a CVSS score of 9.2. The vulnerability affects all NGINX versions through the latest release and has potential for both denial-of-service and remote code execution. Patches are available and the broad deployment of NGINX as a web server, reverse proxy, and API gateway makes this a wide-impact event.
OpenAI Confirms Developer Devices Breached via TanStack Supply Chain Attack — Code-Signing Certificates Rotated
OpenAI confirmed that two developer devices were compromised as a result of the TanStack npm supply chain attack disclosed on 12 May, with malicious postinstall hooks executing on machines running npm install within the six-minute poisoning window. OpenAI rotated all affected code-signing certificates and npm tokens and is investigating whether any internal packages published using the compromised credentials were delivered downstream.
Pwn2Own Berlin 2026 Day 1: Windows 11 Hacked Three Times, Edge Sandbox Escaped for $175K — 24 Zero-Days Demonstrated
The first day of Pwn2Own Berlin 2026 saw researchers demonstrate 24 previously unknown vulnerabilities across Windows 11, Microsoft Edge, VMware Workstation, and Oracle VirtualBox. Windows 11 was compromised three separate times by different teams, and a full Microsoft Edge sandbox escape earned a $175,000 award. No CVE IDs have been assigned yet as vendors begin the 90-day remediation process.
Apple Releases Safari and WebKit Security Update Patching Memory Corruption and CSP Bypass Vulnerabilities
Apple released a security update for Safari and WebKit on 13 May addressing more than ten vulnerabilities including memory corruption flaws enabling potential arbitrary code execution and a Content Security Policy bypass allowing cross-origin data access. The update applies to macOS Ventura, Sonoma, Sequoia, iOS, and iPadOS. Users should update immediately given WebKit's role as the rendering engine for all iOS browsers.
Critical Exim MTA Remote Code Execution CVE-2026-45185 — Use-After-Free in GnuTLS Shutdown Affects Millions of Linux Email Servers
A critical use-after-free vulnerability (CVE-2026-45185) in Exim's GnuTLS TLS session shutdown handler enables unauthenticated remote code execution on any Exim installation compiled with GnuTLS support. Exim is the default MTA on Debian, Ubuntu, and many Linux distributions, putting tens of millions of internet-facing mail servers at risk. Patches are available and should be applied immediately.
Foxconn Confirms Nitrogen Ransomware Attack on North American Factories — 8 TB of Customer Data Stolen
Electronics manufacturing giant Foxconn confirmed a Nitrogen ransomware attack on its North American operations that encrypted factory systems and exfiltrated approximately 8 TB of data including Apple, NVIDIA, and Intel supply chain documentation. Production lines at multiple facilities were disrupted before recovery procedures were activated.
MuddyWater Spent a Week Undetected Inside South Korean Electronics Giant's Network — Nine Organisations Compromised
Iranian state-sponsored threat group MuddyWater (Seedworm) conducted a sustained intrusion campaign against a major South Korean electronics manufacturer, maintaining persistence for over a week before detection. Nine connected organisations were compromised through the electronics firm's supplier and partner network. Lateral movement used living-off-the-land techniques to evade endpoint detection.
West Pharmaceutical Services Files SEC 8-K After Ransomware Encrypts Systems and Exfiltrates Manufacturing Data
West Pharmaceutical Services, an S&P 500 drug delivery component manufacturer, disclosed a ransomware attack via SEC Form 8-K, confirming system encryption and data exfiltration affecting its manufacturing and quality systems. The incident highlights regulatory obligations for publicly listed companies to disclose material cybersecurity incidents and the specific risks facing pharmaceutical supply chain manufacturers.
Windows BitLocker Zero-Day 'YellowKey' Published with PoC — WinRE Bypass Decrypts Protected Drives Without Authentication
Researcher collective Chaotic Eclipse released a proof-of-concept exploit for 'YellowKey,' an unpatched Windows BitLocker bypass that abuses the Windows Recovery Environment to gain access to encrypted drives without the PIN or password. No CVE has been assigned yet and Microsoft has not released a patch. Organisations relying on BitLocker for endpoint data protection should assess their exposure.
AMD Discloses Elevation of Privilege Vulnerability in Zen 2 Micro-Op Cache — Microcode and Firmware Updates Required
AMD has disclosed an elevation-of-privilege vulnerability in the micro-op cache of Zen 2 processors, where a low-privileged process can exploit speculative execution behaviour to access privileged memory content. Full remediation requires microcode updates delivered via OEM BIOS firmware. Zen 3 and later generations are not affected. Dell PowerEdge EPYC Rome servers and AMD EPYC Rome cloud instances require priority attention.
Fortinet Patches Critical Vulnerabilities in FortiAuthenticator and FortiSandbox — Enterprise SSO and Security Infrastructure at Risk
Fortinet released patches for critical vulnerabilities in FortiAuthenticator and FortiSandbox as part of the May 2026 patch cycle. FortiAuthenticator flaws can enable authentication bypass and session manipulation in enterprise SSO deployments, while FortiSandbox issues affect the analysis platform. Apply patches immediately given Fortinet's established exploitation history.
Microsoft May 2026 Patch Tuesday Fixes 120 Vulnerabilities — No Zero-Days but Wormable RCEs Demand Immediate Action
Microsoft released 120 security fixes in May's Patch Tuesday update, including 17 Critical-rated vulnerabilities and no actively exploited zero-days. Among the most significant are a network-based Windows DNS Client RCE and an authenticated SharePoint Server RCE. Security teams should prioritise network-facing systems within 48 hours.
SAP May 2026 Security Patch Day: Critical SQL Injection in S/4HANA and Unauthenticated RCE in Commerce Cloud
SAP's May 2026 Security Patch Day addresses 14 vulnerabilities including two Critical-rated flaws: a SQL injection in S/4HANA Enterprise Search (CVE-2026-34260, CVSS 9.6) and an unauthenticated remote code execution in Commerce Cloud's Spring Security configuration (CVE-2026-34263, CVSS 9.6). Organisations running SAP ERP or e-commerce infrastructure should patch immediately.
SharePoint Server RCE and Office Preview Pane Vulnerabilities Fixed in May Patch Tuesday — Enterprise Document Attack Surface Elevated
May's Patch Tuesday patches an authenticated RCE in SharePoint Server (CVE-2026-40365) and multiple Office vulnerabilities exploitable via the Windows Explorer and Outlook preview pane without opening files. Together they represent a significant enterprise document attack surface. Assess SharePoint exposure and validate Office update deployment this week.