Security intelligence covering Communication & Network Security: Network architecture, protocols, secure communication channels, and network attacks.https://cipherwatch.io/en-gbhttps://cipherwatch.io/articles/2026-06-16-cisco-sdwan-manager-cve-2026-20262-file-overwrite-root/https://cipherwatch.io/articles/2026-06-16-cisco-sdwan-manager-cve-2026-20262-file-overwrite-root/A file upload vulnerability in Cisco Catalyst SD-WAN Manager is under active exploitation, allowing an attacker with network-operator level access to overwrite arbitrary files on the underlying operating system and escalate privileges to root. CISA added CVE-2026-20262 to the Known Exploited Vulnerabilities catalogue on 16 June, setting a federal remediation deadline.Tue, 16 Jun 2026 00:00:00 GMTciscosd-wancve-2026-20262actively-exploitedprivilege-escalationcisa-kevhttps://cipherwatch.io/articles/2026-06-15-pan-os-globalprotect-cve-2026-0257-active-exploitation/https://cipherwatch.io/articles/2026-06-15-pan-os-globalprotect-cve-2026-0257-active-exploitation/Palo Alto Networks has confirmed active exploitation of CVE-2026-0257, a critical authentication bypass in the GlobalProtect gateway that allows an unauthenticated attacker to establish VPN sessions as arbitrary users. CISA has added the flaw to the Known Exploited Vulnerabilities catalogue, and Palo Alto's Unit 42 has observed exploitation targeting government and critical infrastructure networks since at least 12 June.Mon, 15 Jun 2026 00:00:00 GMTpalo-altoglobalprotectpan-oscve-2026-0257authentication-bypasscisa-kevactively-exploitedvpn-securityhttps://cipherwatch.io/articles/2026-06-14-ivanti-sentry-cve-2026-10523-auth-bypass-chain/https://cipherwatch.io/articles/2026-06-14-ivanti-sentry-cve-2026-10523-auth-bypass-chain/Ivanti has disclosed a second critical vulnerability in Sentry — CVE-2026-10523, an authentication bypass scoring CVSS 9.9 — that chains with the previously patched CVE-2026-10520 (CVSS 10.0) to enable complete unauthenticated takeover of the MDM gateway. Organisations that deployed the initial patch must apply additional updates; the two CVEs affect overlapping but distinct code paths.Sun, 14 Jun 2026 00:00:00 GMTivantisentryauthentication-bypasscve-2026-10523cve-2026-10520mdmchained-vulnerabilitycisa-kevhttps://cipherwatch.io/articles/2026-06-13-gentlemen-ransomware-worm-network-segmentation/https://cipherwatch.io/articles/2026-06-13-gentlemen-ransomware-worm-network-segmentation/The confirmed worm capability in the Gentlemen ransomware payload — propagating via SMB exploitation and credential reuse — changes the containment calculus for enterprise incident response. Effective network segmentation stops worm propagation at VLAN boundaries. This guide maps the segmentation controls that constrain Gentlemen's lateral movement.Sat, 13 Jun 2026 00:00:00 GMTgentlemen-ransomwarewormnetwork-segmentationsmbvlanslateral-movementincident-responsecontainmentmicrosegmentationhttps://cipherwatch.io/articles/2026-06-12-http-sys-cve-2026-47291-wormable-windows-server-exposure/https://cipherwatch.io/articles/2026-06-12-http-sys-cve-2026-47291-wormable-windows-server-exposure/Three days after the June Patch Tuesday, CVE-2026-47291 in HTTP.sys remains unpatched on a significant proportion of enterprise Windows Server infrastructure. This article maps the attack surface — which services expose HTTP.sys, how the worm propagation would function, and what network controls reduce the blast radius while patching is in progress.Fri, 12 Jun 2026 00:00:00 GMThttp-syscve-2026-47291wormablewindows-serveriisnetwork-securityattack-surfacepatch-managementexchangesharepointhttps://cipherwatch.io/articles/2026-06-10-palo-alto-pan-os-cve-2026-0273-command-injection/https://cipherwatch.io/articles/2026-06-10-palo-alto-pan-os-cve-2026-0273-command-injection/Palo Alto Networks has patched CVE-2026-0273, a command injection vulnerability in the PAN-OS web management interface that allows authenticated administrators to execute arbitrary OS commands on the firewall. The vulnerability affects PAN-OS versions 10.1 through 11.2 and all active GlobalProtect gateway configurations. Updates are available across all supported branches.Wed, 10 Jun 2026 00:00:00 GMTpalo-altopan-osglobalprotectcve-2026-0273command-injectionfirewallnetwork-securitypatchmanagement-interfacehttps://cipherwatch.io/articles/2026-06-09-linux-cve-2026-23111-nftables-container-escape/https://cipherwatch.io/articles/2026-06-09-linux-cve-2026-23111-nftables-container-escape/A use-after-free vulnerability in the Linux kernel's nf_tables netfilter subsystem allows unprivileged users to escalate to root and break container isolation. Public proof-of-concept code published 9 June makes this an immediate remediation priority across all major Linux distributions running kernel versions 5.15 through 6.10.Tue, 09 Jun 2026 00:00:00 GMTlinux-kernelnftablesnetfiltercve-2026-23111container-escapeprivilege-escalationuse-after-freeactively-exploitedhttps://cipherwatch.io/articles/2026-06-08-check-point-cve-2026-50751-vpn-auth-bypass-ransomware/https://cipherwatch.io/articles/2026-06-08-check-point-cve-2026-50751-vpn-auth-bypass-ransomware/CISA added CVE-2026-50751 to the Known Exploited Vulnerabilities catalogue on 8 June with a three-day remediation deadline and confirmed ransomware campaign use. The vulnerability is a CVSS 9.3 authentication bypass in Check Point Security Gateway's IKEv1 VPN protocol handling that allows unauthenticated attackers to bypass remote access VPN authentication entirely. An emergency hotfix is available.Mon, 08 Jun 2026 00:00:00 GMTcheck-pointcve-2026-50751vpnauthentication-bypassikev1ransomwarecisa-kevactively-exploitedhttps://cipherwatch.io/articles/2026-06-07-vpn-gateway-attack-surface-enterprise-hardening/https://cipherwatch.io/articles/2026-06-07-vpn-gateway-attack-surface-enterprise-hardening/VPN gateways and remote access concentrators have become the most frequently exploited initial access vector in enterprise network intrusions. With critical vulnerabilities regularly disclosed in Palo Alto GlobalProtect, Citrix NetScaler, Fortinet FortiGate, and now Check Point Security Gateway, this guide covers the security hardening and monitoring posture that reduces exposure regardless of which vendor's appliance your organisation runs.Sun, 07 Jun 2026 00:00:00 GMTvpnremote-accessnetwork-securityhardeningcheck-pointfortinetpalo-altoperimeter-securityvulnerability-managementhttps://cipherwatch.io/articles/2026-06-04-cifs-smb-protocol-enterprise-network-hardening/https://cipherwatch.io/articles/2026-06-04-cifs-smb-protocol-enterprise-network-hardening/CVE-2026-46243 exploits a flaw in the Linux kernel CIFS client subsystem reachable from local shell access. But the broader CIFS/SMB attack surface extends beyond this single CVE — SMB signing enforcement, unauthenticated share access, and uncontrolled NTLM relay paths are network-level risks that compound the impact of any CIFS kernel vulnerability. This article covers network hardening for Linux environments that use SMB/CIFS mounts.Thu, 04 Jun 2026 00:00:00 GMTcifssmblinuxcve-2026-46243network-hardeningntlm-relaysmb-signingprotocol-securityhttps://cipherwatch.io/articles/2026-05-29-windows-netlogon-cve-2026-41089-cvss98-active-exploitation/https://cipherwatch.io/articles/2026-05-29-windows-netlogon-cve-2026-41089-cvss98-active-exploitation/Belgium's Centre for Cybersecurity (CCB) confirmed active exploitation of CVE-2026-41089 on 29 May — a stack-based buffer overflow in the Windows Netlogon Remote Protocol (MS-NRPC) that allows unauthenticated remote code execution on domain controllers. CVSS 9.8. A public PoC is available. Patch domain controllers as an emergency priority.Fri, 29 May 2026 00:00:00 GMTwindowsnetlogoncve-2026-41089domain-controllerrceactive-exploitationactive-directorycriticalhttps://cipherwatch.io/articles/2026-05-28-citrix-netscaler-cve-2026-3055-large-scale-exploitation-fortinet/https://cipherwatch.io/articles/2026-05-28-citrix-netscaler-cve-2026-3055-large-scale-exploitation-fortinet/Fortinet's threat intelligence team has confirmed large-scale active exploitation of CVE-2026-3055, the Citrix NetScaler SAML IDP memory overread vulnerability (CVSSv4 9.3) patched in March. More than 65 days after the patch was available, thousands of internet-facing NetScaler ADC appliances remain unpatched and are being targeted by automated exploitation frameworks.Thu, 28 May 2026 00:00:00 GMTcitrixnetscalercve-2026-3055samlactive-exploitationfortinetadcpatch-gaphttps://cipherwatch.io/articles/2026-05-25-miniplasma-windows-cloud-files-zero-day-no-patch/https://cipherwatch.io/articles/2026-05-25-miniplasma-windows-cloud-files-zero-day-no-patch/A researcher published a working proof-of-concept for a Windows zero-day — dubbed MiniPlasma — that exploits the Cloud Files Mini Filter Driver to achieve SYSTEM-level access on fully-patched Windows 10, Windows 11, and Windows Server 2022/2025. Microsoft has not issued a patch or an out-of-band advisory. All unmitigated Windows systems with cloud sync enabled are affected.Mon, 25 May 2026 00:00:00 GMTwindowszero-daycloud-filesmini-filter-driverlpesystem-accessno-patchpoc-publichttps://cipherwatch.io/articles/2026-05-24-gnu-sasl-cve-2026-48829-digest-md5-null-pointer/https://cipherwatch.io/articles/2026-05-24-gnu-sasl-cve-2026-48829-digest-md5-null-pointer/A NULL pointer dereference in GNU SASL's DIGEST-MD5 authentication mechanism (CVE-2026-48829, CVSS 7.5) allows a remote attacker to crash any service using GNU SASL for DIGEST-MD5 authentication by sending a malformed authentication token. Debian and other distribution security advisories published 24 May. Services affected include Postfix, Cyrus IMAP, and LDAP servers using SASL for authentication.Sun, 24 May 2026 00:00:00 GMTgnu-saslsaslcve-2026-48829digest-md5authenticationpostfixldapmail-serverdenial-of-servicehttps://cipherwatch.io/articles/2026-05-23-linux-kernel-cve-2026-43503-networking-skbuff-frag-corruption/https://cipherwatch.io/articles/2026-05-23-linux-kernel-cve-2026-43503-networking-skbuff-frag-corruption/Linux kernel stable branch patches published 23 May address CVE-2026-43503, a CVSS 8.8 memory corruption vulnerability in two networking helper functions that incorrectly handle the SKBFL_SHARED_FRAG flag during fragment transfers. The bug affects the skb_shift and __pskb_copy_fclone functions across multiple kernel versions and can be triggered by crafted network traffic on affected configurations.Sat, 23 May 2026 00:00:00 GMTlinuxkernelcve-2026-43503networkingmemory-corruptionskbuffpacket-processinghttps://cipherwatch.io/articles/2026-05-22-ubiquiti-unifi-os-bulletin-064-three-cvss10-vulnerabilities/https://cipherwatch.io/articles/2026-05-22-ubiquiti-unifi-os-bulletin-064-three-cvss10-vulnerabilities/Ubiquiti published Security Bulletin 064 on 22 May disclosing five CVEs in UniFi OS devices, three of which score CVSS 10.0: an improper access control flaw, a path traversal enabling arbitrary file read and write, and a command injection that provides root shell access — all exploitable without authentication from the network. Enterprise environments using UniFi Wi-Fi infrastructure must update immediately.Fri, 22 May 2026 00:00:00 GMTubiquitiunifinetwork-equipmentcve-2026-34908cve-2026-34909cve-2026-34910cvss10enterprise-wifiaccess-pointhttps://cipherwatch.io/articles/2026-05-21-panos-globalprotect-cve-2026-0257-second-exploitation-wave/https://cipherwatch.io/articles/2026-05-21-panos-globalprotect-cve-2026-0257-second-exploitation-wave/Rapid7 MDR confirmed on 21 May that a second, larger exploitation wave of CVE-2026-0257, an authentication bypass in Palo Alto Networks GlobalProtect VPN, began on 21 May targeting enterprise sectors not covered in the initial wave. CISA added the CVE to the Known Exploited Vulnerabilities catalogue with a 1 June remediation deadline. The vulnerability affects PAN-OS 10.2, 11.1, 11.2, and 12.1 as well as Prisma Access.Thu, 21 May 2026 00:00:00 GMTpalo-altopan-osglobalprotectvpncve-2026-0257authentication-bypasscisa-kevexploitationhttps://cipherwatch.io/articles/2026-05-19-sonicwall-gen6-ssl-vpn-cve-2024-12802-patch-gap-akira/https://cipherwatch.io/articles/2026-05-19-sonicwall-gen6-ssl-vpn-cve-2024-12802-patch-gap-akira/ReliaQuest published research on 19 May confirming that SonicWall's official firmware patch for CVE-2024-12802 on Generation 6 SSL-VPN devices requires six manual reconfiguration steps to fully close the MFA bypass vulnerability. Devices that reached end-of-life on 16 April 2026 will receive no further patches. Akira ransomware is present in 86% of SonicWall-involved intrusion claims reviewed by ReliaQuest.Tue, 19 May 2026 00:00:00 GMTsonicwallssl-vpnvpncve-2024-12802akiraransomwareend-of-lifemfa-bypasshttps://cipherwatch.io/articles/2026-05-17-sharepoint-second-rce-chain-pwn2own-distinct-path/https://cipherwatch.io/articles/2026-05-17-sharepoint-second-rce-chain-pwn2own-distinct-path/Researchers at Pwn2Own Berlin 2026 demonstrated a multi-bug SharePoint Server remote code execution chain that is entirely distinct from CVE-2026-40365, the SharePoint RCE patched in the 12 May Patch Tuesday. The new chain, targeting SharePoint's server-side processing pipeline, has no patch and will not receive one for up to 90 days.Sun, 17 May 2026 00:00:00 GMTsharepointrcepwn2ownzero-daymicrosoftcollaboration-platformhttps://cipherwatch.io/articles/2026-05-16-cisco-sdwan-cve-2026-20182-post-compromise-forensics/https://cipherwatch.io/articles/2026-05-16-cisco-sdwan-cve-2026-20182-post-compromise-forensics/CVE-2026-20182, the CVSS 10.0 Cisco Catalyst SD-WAN Manager zero-day added to CISA KEV on 14 May, was exploited before Cisco released the patch. Organisations that ran vManage on publicly accessible addresses during the exposure window must now forensically audit their SD-WAN device inventory and API authentication logs for signs of rogue device registration and traffic interception.Sat, 16 May 2026 00:00:00 GMTciscosd-wancve-2026-20182incident-responseforensicswanthreat-huntingcisa-kevhttps://cipherwatch.io/articles/2026-05-15-exchange-zero-day-cve-2026-42897-xss-actively-exploited/https://cipherwatch.io/articles/2026-05-15-exchange-zero-day-cve-2026-42897-xss-actively-exploited/Microsoft disclosed an actively exploited cross-site scripting zero-day in Exchange Server (CVE-2026-42897) that allows attackers to inject malicious scripts into Outlook Web App sessions, hijack authenticated user sessions, and exfiltrate email content. No patch is available. Microsoft deployed an Emergency Exchange Mitigation Service (EEMS) rule as an interim control while a patch is developed.Fri, 15 May 2026 00:00:00 GMTexchangezero-dayxsscve-2026-42897actively-exploitedcisa-kevhttps://cipherwatch.io/articles/2026-05-14-cisco-sdwan-cve-2026-20182-cvss10-zero-day/https://cipherwatch.io/articles/2026-05-14-cisco-sdwan-cve-2026-20182-cvss10-zero-day/Cisco disclosed a CVSS 10.0 authentication bypass in the Catalyst SD-WAN Manager that has been actively exploited as a zero-day, allowing unauthenticated attackers to inject rogue SD-WAN devices into the management plane and intercept or reroute enterprise WAN traffic. The vulnerability has been added to CISA's Known Exploited Vulnerabilities catalogue with a 72-hour patching deadline for federal agencies.Thu, 14 May 2026 00:00:00 GMTciscosd-wancve-2026-20182zero-daycisa-kevactively-exploitedhttps://cipherwatch.io/articles/2026-05-14-nginx-heap-buffer-overflow-cve-2026-42945/https://cipherwatch.io/articles/2026-05-14-nginx-heap-buffer-overflow-cve-2026-42945/A heap buffer overflow in NGINX's chunked transfer encoding handler, present since version 0.6.27 released in 2008, has been assigned CVE-2026-42945 with a CVSS score of 9.2. The vulnerability affects all NGINX versions through the latest release and has potential for both denial-of-service and remote code execution. Patches are available and the broad deployment of NGINX as a web server, reverse proxy, and API gateway makes this a wide-impact event.Thu, 14 May 2026 00:00:00 GMTnginxcve-2026-42945heap-overflowrceapi-gatewayhttps://cipherwatch.io/articles/2026-05-13-exim-mta-rce-cve-2026-45185-gnutls-linux/https://cipherwatch.io/articles/2026-05-13-exim-mta-rce-cve-2026-45185-gnutls-linux/A critical use-after-free vulnerability (CVE-2026-45185) in Exim's GnuTLS TLS session shutdown handler enables unauthenticated remote code execution on any Exim installation compiled with GnuTLS support. Exim is the default MTA on Debian, Ubuntu, and many Linux distributions, putting tens of millions of internet-facing mail servers at risk. Patches are available and should be applied immediately.Wed, 13 May 2026 00:00:00 GMTeximrcecve-2026-45185linuxemail-serverhttps://cipherwatch.io/articles/2026-05-12-windows-dns-client-rce-cve-2026-41096/https://cipherwatch.io/articles/2026-05-12-windows-dns-client-rce-cve-2026-41096/CVE-2026-41096 in the Windows DNS Client allows an attacker controlling a DNS server to send a crafted response that triggers memory corruption on any Windows system performing standard DNS resolution. No user interaction or authentication is required, and the flaw affects all supported Windows versions. Patch network-facing systems within 24 hours.Tue, 12 May 2026 00:00:00 GMTwindowsdnsrcepatch-tuesdaynetwork-attackhttps://cipherwatch.io/articles/2026-05-11-trickmo-ton-blockchain-c2-android-banker/https://cipherwatch.io/articles/2026-05-11-trickmo-ton-blockchain-c2-android-banker/The TrickMo Android banking trojan has been updated to use the Telegram Open Network (TON) blockchain as its command-and-control infrastructure. TON's decentralised architecture means law enforcement cannot seize or sink-hole C2 servers — TrickMo operators gain persistent, censorship-resistant communications regardless of takedowns. The move signals a broader industry shift toward blockchain-based C2 that defenders have limited ability to disrupt at the infrastructure level.Mon, 11 May 2026 00:00:00 GMTtrickmoandroidbanking-trojanc2blockchainton-networkmobile-securityinfrastructurehttps://cipherwatch.io/articles/2026-05-10-freebsd-cve-2026-42511-nfs-vulnerability/https://cipherwatch.io/articles/2026-05-10-freebsd-cve-2026-42511-nfs-vulnerability/A new vulnerability in FreeBSD's NFS networking stack has been disclosed as CVE-2026-42511, distinct from the previously covered CVE-2026-4747 (the 17-year-old NFSv4 daemon RCE). CVE-2026-42511 affects the NFS client implementation and is exploitable by a malicious NFS server to achieve code execution on FreeBSD hosts connecting to untrusted NFS mounts — a relevant threat model for enterprise environments mounting network storage from potentially compromised infrastructure.Sun, 10 May 2026 00:00:00 GMTfreebsdnfscvenetwork-securitystoragebsdnetwork-appliancesclient-side-exploitationhttps://cipherwatch.io/articles/2026-05-08-sonicwall-cve-2026-0204-sslvpn-auth-bypass/https://cipherwatch.io/articles/2026-05-08-sonicwall-cve-2026-0204-sslvpn-auth-bypass/SonicWall has disclosed CVE-2026-0204, an authentication bypass vulnerability in the SonicWall SSLVPN product that allows a remote attacker to bypass VPN authentication and gain access to the protected network without valid credentials. SonicWall SSLVPN appliances are widely deployed as enterprise and SMB VPN concentrators. Patch available — update immediately.Fri, 08 May 2026 00:00:00 GMTsonicwallsslvpnvpncveauthentication-bypassnetwork-securityperimeterpatchhttps://cipherwatch.io/articles/2026-05-07-proftpd-cve-2026-42167-auth-bypass-rce/https://cipherwatch.io/articles/2026-05-07-proftpd-cve-2026-42167-auth-bypass-rce/A vulnerability in ProFTPD — one of the most widely deployed open-source FTP server implementations — allows a remote unauthenticated attacker to bypass authentication controls and achieve code execution on the server. CVE-2026-42167 affects ProFTPD versions prior to 1.3.9a. FTP servers are frequently forgotten in patch management programmes; administrators should verify ProFTPD version and apply the update.Thu, 07 May 2026 00:00:00 GMTproftpdftpcveauthentication-bypassrceserver-securitypatchlinuxhttps://cipherwatch.io/articles/2026-05-06-cisco-cve-2026-20188-dos-manual-reboot-crosswork/https://cipherwatch.io/articles/2026-05-06-cisco-cve-2026-20188-dos-manual-reboot-crosswork/Cisco has disclosed a high-severity denial-of-service vulnerability in Crosswork Network Controller and NSO (Network Services Orchestrator) that allows an unauthenticated remote attacker to exhaust connection resources and permanently disable the device — requiring physical manual reboot to recover. CVE-2026-20188 affects the network automation and orchestration platforms used by major service providers and large enterprise networks for intent-based networking automation.Wed, 06 May 2026 00:00:00 GMTciscocvedenial-of-servicecrossworknsonetwork-automationorchestrationservice-providerhttps://cipherwatch.io/articles/2026-05-05-panos-cve-2026-0300-rce-actively-exploited-espionage/https://cipherwatch.io/articles/2026-05-05-panos-cve-2026-0300-rce-actively-exploited-espionage/A critical unauthenticated remote code execution vulnerability in Palo Alto Networks PAN-OS has been under active exploitation since at least early April 2026, linked to espionage-motivated threat actors targeting government and critical infrastructure networks. CVE-2026-0300 affects the User-ID authentication portal on VM-Series and hardware firewalls; CISA added it to the KEV catalogue on 6 May 2026. Patches are available — apply immediately.Tue, 05 May 2026 00:00:00 GMTpalo-altopan-oscvercezero-dayactively-exploitedcisa-kevfirewallespionageglobalprotecthttps://cipherwatch.io/articles/2026-05-04-moveit-automation-auth-bypass-critical/https://cipherwatch.io/articles/2026-05-04-moveit-automation-auth-bypass-critical/Progress Software has disclosed a critical authentication bypass vulnerability in MOVEit Automation, the workflow automation component of the MOVEit managed file transfer platform. Given MOVEit's history as the most mass-exploited enterprise application of 2023 (Cl0p ransomware, 2,700+ organisations), any new critical vulnerability requires emergency patching. Organisations should apply the patch and review automation workflow configurations before exploitation begins.Mon, 04 May 2026 00:00:00 GMTmoveitauthentication-bypassmanaged-file-transfercritical-vulnerabilityprogress-softwarepatch-urgentlyhttps://cipherwatch.io/articles/2026-05-03-etherrat-ethereum-blockchain-c2-campaign/https://cipherwatch.io/articles/2026-05-03-etherrat-ethereum-blockchain-c2-campaign/Researchers have disclosed EtherRAT, a remote access trojan that encodes command-and-control instructions directly into Ethereum blockchain transactions, creating a C2 channel that cannot be taken down, domain-blocked, or sinkholed. Active campaigns have targeted government and financial organisations in Eastern Europe and the Middle East.Sun, 03 May 2026 00:00:00 GMTmalwareblockchainc2ethereumevasionratthreat-intelligencehttps://cipherwatch.io/articles/2026-05-02-deepdoor-python-backdoor-cloudflare-tunnel/https://cipherwatch.io/articles/2026-05-02-deepdoor-python-backdoor-cloudflare-tunnel/Securonix researchers have disclosed DEEP#DOOR, a Python-based backdoor framework that routes command-and-control traffic through legitimate Cloudflare Tunnel infrastructure to evade network security controls. The malware establishes persistence via multiple mechanisms, disables Windows security features at installation, and specifically targets browser-stored passwords, session tokens, and cloud provider credentials.Sat, 02 May 2026 00:00:00 GMTmalwarepython-backdoorcloudflarec2credential-theftevasionwindowshttps://cipherwatch.io/articles/2026-04-29-dlink-dir823x-cve-2025-29635-mirai-cisa-kev/https://cipherwatch.io/articles/2026-04-29-dlink-dir823x-cve-2025-29635-mirai-cisa-kev/CVE-2025-29635, an authenticated command injection in D-Link DIR-823X routers, has been added to CISA's Known Exploited Vulnerabilities catalogue following an active Mirai botnet campaign documented by Akamai. CVSS 7.2 understates the real risk: D-Link DIR-823X reached end of life, meaning no patch will be issued. Organisations with these routers must replace them. Federal deadline: May 19, 2026.Wed, 29 Apr 2026 00:00:00 GMTd-linkmiraicve-2025-29635cisa-keveol-devicecommand-injectionbotnethttps://cipherwatch.io/articles/2026-04-27-openssh-10-3-cve-2026-35386-shell-metacharacter-rce/https://cipherwatch.io/articles/2026-04-27-openssh-10-3-cve-2026-35386-shell-metacharacter-rce/OpenSSH 10.3, released April 26, addresses CVE-2026-35386, a shell metacharacter injection flaw in the scp client that can result in unintended remote command execution when transferring files from attacker-controlled servers. While exploitation requires non-default configuration, scp is still widely used in automated backup and deployment pipelines and should be updated promptly.Mon, 27 Apr 2026 00:00:00 GMTopensshscpcve-2026-35386shell-injectionpatchremote-code-executionhttps://cipherwatch.io/articles/2026-04-26-apt28-operation-masquerade-dns-hijacking-m365/https://cipherwatch.io/articles/2026-04-26-apt28-operation-masquerade-dns-hijacking-m365/Russia's GRU Unit 26165 operated an 18,000-router DNS hijacking network targeting Microsoft 365 OAuth tokens across 120 countries. The US DOJ's Operation Masquerade dismantled US-based infrastructure on April 7 2026, but the global campaign continues. Organisations should audit DNS resolver settings, revoke OAuth sessions, and enforce Conditional Access for remote users.Sun, 26 Apr 2026 00:00:00 GMTapt28dns-hijackingmicrosoft-365nation-stateoauthrussiahttps://cipherwatch.io/articles/2026-04-24-microsoft-bing-rce-deserialization-cve-2026-33819/https://cipherwatch.io/articles/2026-04-24-microsoft-bing-rce-deserialization-cve-2026-33819/A critical CVSS 10.0 unauthenticated RCE vulnerability in Microsoft Bing allows attackers to execute arbitrary code over the network via unsafe deserialization. Patched in April 2026 Patch Tuesday — update immediately.Fri, 24 Apr 2026 00:00:00 GMTcriticalrcemicrosoftdeserializationpatch-tuesdayhttps://cipherwatch.io/articles/2026-04-24-windows-tcpip-wormable-rce-cve-2026-33827-ipv6-ipsec/https://cipherwatch.io/articles/2026-04-24-windows-tcpip-wormable-rce-cve-2026-33827-ipv6-ipsec/A race condition in the Windows TCP/IP stack allows unauthenticated remote code execution against systems with IPv6 or IPSec enabled, demonstrated at Pwn2Own 2026 and patched in April's Patch Tuesday. The vulnerability's wormable characteristics — no user interaction, no authentication, network-adjacent propagation — place it in the same risk category as EternalBlue for environments that have not applied the April update.Fri, 24 Apr 2026 00:00:00 GMTwindowstcpiprcewormableipv6ipsecpatch-tuesdaycvss-criticalhttps://cipherwatch.io/articles/2026-04-21-cisco-webex-sso-ise-critical-cve-2026-20184/https://cipherwatch.io/articles/2026-04-21-cisco-webex-sso-ise-critical-cve-2026-20184/Cisco patched four critical vulnerabilities across Webex Services and Identity Services Engine. CVE-2026-20184 allows unauthenticated attackers to impersonate any Webex user via crafted SSO tokens. Three ISE flaws at CVSS 9.9 let read-only admins execute arbitrary commands as root. Webex deployments with SSO require urgent manual action — Cisco's cloud fix is not sufficient without administrator intervention.Tue, 21 Apr 2026 00:00:00 GMTciscowebexidentity-services-enginessorceauthentication-bypasssamlcertificate-validationcriticalisehttps://cipherwatch.io/articles/2026-04-20-fortisandbox-cve-2026-39808-39813-rce-poc-exploit/https://cipherwatch.io/articles/2026-04-20-fortisandbox-cve-2026-39808-39813-rce-poc-exploit/A public proof-of-concept exploit has been released for CVE-2026-39808, a critical OS command injection vulnerability in Fortinet FortiSandbox that allows unauthenticated attackers to execute arbitrary commands as root via a single HTTP request. A companion authentication bypass flaw (CVE-2026-39813) affects the same versions. Patch to FortiSandbox 4.4.9 or 5.0.6 immediately.Mon, 20 Apr 2026 00:00:00 GMTfortinetfortisandboxrcecommand-injectionauthentication-bypasspoc-exploitunauthenticatedcve-2026-39808cve-2026-39813https://cipherwatch.io/articles/2026-04-17-windows-ike-cve-2026-33824-unauthenticated-rce/https://cipherwatch.io/articles/2026-04-17-windows-ike-cve-2026-33824-unauthenticated-rce/A CVSS 9.8 double-free vulnerability in the Windows Internet Key Exchange service allows unauthenticated remote attackers to achieve SYSTEM-level code execution on all supported Windows versions. With no user interaction required and confirmation of pre-patch exploitation, every unpatched Windows host with IKEv2 enabled is at immediate risk. Apply the April 2026 Patch Tuesday update or block UDP ports 500 and 4500 immediately.Fri, 17 Apr 2026 00:00:00 GMTcve-2026-33824windowsikercepatch-tuesdayunauthenticatedhttps://cipherwatch.io/articles/2026-04-15-fortinet-forticlient-ems-cve-2026-35616-pre-auth-rce/https://cipherwatch.io/articles/2026-04-15-fortinet-forticlient-ems-cve-2026-35616-pre-auth-rce/A pre-authentication remote code execution zero-day in Fortinet FortiClient Enterprise Management Server (CVE-2026-35616, CVSS 9.1) has been under active exploitation since 31 March 2026, ahead of Fortinet's advisory. CISA added it to the KEV catalogue on 6 April with a federal deadline of 9 April. An emergency hotfix is available without requiring system downtime.Wed, 15 Apr 2026 00:00:00 GMTfortinetzero-dayrceforticlientemscisa-kevpre-authenticationhttps://cipherwatch.io/articles/2026-04-12-forticlient-ems-cve-2026-21643-pre-auth-sql-injection/https://cipherwatch.io/articles/2026-04-12-forticlient-ems-cve-2026-21643-pre-auth-sql-injection/Bishop Fox has published full technical details of CVE-2026-21643, a CVSS 9.8 pre-authentication SQL injection in Fortinet FortiClient EMS 7.4.4 that enables unauthenticated remote code execution. The flaw is distinct from last week's CVE-2026-35616 and affects a different version — organisations that patched for CVE-2026-35616 by upgrading to 7.4.5 or 7.4.6 may now be running a version vulnerable to the newer access control flaw.Sun, 12 Apr 2026 00:00:00 GMTfortinetforticlientemssql-injectionrcepre-authenticationcvecisa-kevhttps://cipherwatch.io/articles/2026-04-11-ivanti-epmm-cve-2026-1340-cisa-kev-rce/https://cipherwatch.io/articles/2026-04-11-ivanti-epmm-cve-2026-1340-cisa-kev-rce/CISA has added CVE-2026-1340, a critical unauthenticated remote code execution flaw in Ivanti Endpoint Manager Mobile, to the Known Exploited Vulnerabilities catalogue with a federal agency deadline of 11 April. The vulnerability chains with CVE-2026-1281 to enable full appliance takeover and has been actively exploited since January 2026. All organisations running Ivanti EPMM on-premises must patch immediately.Sat, 11 Apr 2026 00:00:00 GMTivantiepmmmdmrcecisa-kevunauthenticatedcode-injectioncve-2026-1340cve-2026-1281https://cipherwatch.io/articles/2026-04-10-panos-globalprotect-cve-2026-3197-exploited/https://cipherwatch.io/articles/2026-04-10-panos-globalprotect-cve-2026-3197-exploited/A critical SAML authentication bypass in Palo Alto Networks PAN-OS GlobalProtect allows unauthenticated remote attackers to gain administrative firewall access. CVE-2026-3197 chains with a command injection flaw to achieve root-level OS execution and is being exploited by at least three distinct threat actor clusters including a China-nexus nation-state group. CISA has added it to the KEV catalogue.Fri, 10 Apr 2026 00:00:00 GMTpalo-altopan-osglobalprotectsamlauthentication-bypasscve-2026-3197firewallvpnnation-statecisa-kevcriticalhttps://cipherwatch.io/articles/2026-04-09-citrix-netscaler-cve-2026-3055-active-exploitation/https://cipherwatch.io/articles/2026-04-09-citrix-netscaler-cve-2026-3055-active-exploitation/A critical unauthenticated memory overread vulnerability in Citrix NetScaler ADC and NetScaler Gateway is being actively exploited in the wild, with CISA adding it to the Known Exploited Vulnerabilities catalogue. Appliances configured as SAML Identity Providers are leaking sensitive memory contents including session tokens via a crafted SAML request.Thu, 09 Apr 2026 00:00:00 GMTcitrixnetscaleradcgatewaysamlmemory-overreadcisa-kevcve-2026-3055authenticationhttps://cipherwatch.io/articles/2026-04-09-iran-plc-ot-attacks-us-critical-infrastructure/https://cipherwatch.io/articles/2026-04-09-iran-plc-ot-attacks-us-critical-infrastructure/A joint advisory from CISA, FBI, NSA, and the Department of Energy warns that Iranian-affiliated APT actors have been compromising internet-facing programmable logic controllers at water utilities, energy facilities and local government sites since at least March 2026. Operators should treat any internet-exposed OT device as potentially compromised and implement immediate network isolation.Thu, 09 Apr 2026 00:00:00 GMTicsotplcirancritical-infrastructureaptscadahmihttps://cipherwatch.io/articles/2026-04-04-pan-os-globalprotect-cve-2026-0227-dos-poc/https://cipherwatch.io/articles/2026-04-04-pan-os-globalprotect-cve-2026-0227-dos-poc/A proof-of-concept exploit has been published for CVE-2026-0227, a denial-of-service vulnerability in Palo Alto Networks PAN-OS affecting GlobalProtect gateways and portals. An unauthenticated remote attacker can crash the firewall into a mandatory maintenance mode by sending malformed requests to the GlobalProtect interface. Prisma Access deployments are also affected. Palo Alto has released patches; the PoC significantly elevates exploitation risk.Sat, 04 Apr 2026 00:00:00 GMTpalo-altopan-osglobalprotectcve-2026-0227dosfirewallprisma-accesspochttps://cipherwatch.io/articles/2026-04-03-citrix-cve-2026-3055-kev-patch-deadline/https://cipherwatch.io/articles/2026-04-03-citrix-cve-2026-3055-kev-patch-deadline/CISA added CVE-2026-3055 to its Known Exploited Vulnerabilities catalogue on 30 March, confirming active exploitation of the critical Citrix NetScaler memory overread vulnerability disclosed the previous week. NetScaler appliances configured as SAML Identity Providers are leaking session tokens from memory, allowing attackers to impersonate users without credentials. Organisations must patch immediately.Fri, 03 Apr 2026 00:00:00 GMTcitrixnetscalercve-2026-3055samlsession-tokencisa-kevexploitpatchhttps://cipherwatch.io/articles/2026-03-31-f5-bigip-apm-cve-2025-53521-rce-cisa-kev/https://cipherwatch.io/articles/2026-03-31-f5-bigip-apm-cve-2025-53521-rce-cisa-kev/A vulnerability in F5 BIG-IP Access Policy Manager initially classed as denial-of-service has been reclassified as critical remote code execution with CVSS 9.8 after active exploitation was confirmed. CISA added CVE-2025-53521 to its Known Exploited Vulnerabilities catalogue on 27 March and set a three-day patch deadline for federal agencies. All organisations running BIG-IP APM should treat this as an emergency.Tue, 31 Mar 2026 00:00:00 GMTf5big-ipapmrcecve-2025-53521cisa-kevcriticalpatchhttps://cipherwatch.io/articles/2026-03-30-ubiquiti-unifi-cve-2026-22557-path-traversal/https://cipherwatch.io/articles/2026-03-30-ubiquiti-unifi-cve-2026-22557-path-traversal/Ubiquiti disclosed a maximum-severity path traversal vulnerability in the UniFi Network Application that allows unauthenticated attackers to read arbitrary files from the underlying OS and take over controller accounts with no credentials required. Censys identified approximately 87,000 internet-exposed UniFi endpoints at time of disclosure. The vulnerability is frequently chained with a companion NoSQL injection flaw for full administrative access.Mon, 30 Mar 2026 00:00:00 GMTubiquitiunifipath-traversalunauthenticatedaccount-takeovernosql-injectioncve-2026-22557cve-2026-22558network-managementhttps://cipherwatch.io/articles/2026-03-28-mongodb-mongobleed-cve-2025-14847-active-exploitation/https://cipherwatch.io/articles/2026-03-28-mongodb-mongobleed-cve-2025-14847-active-exploitation/CVE-2025-14847, named MongoBleed, is an unauthenticated memory disclosure vulnerability in MongoDB Server that allows attackers to read uninitialized heap memory from any internet-exposed instance. With 87,000 potentially vulnerable deployments globally and CISA KEV inclusion confirmed, active exploitation campaigns are targeting MongoDB instances to extract credentials, API keys, and sensitive data cached in server memory. The fix has been available since December 2025.Sat, 28 Mar 2026 00:00:00 GMTmongodbmongobleedmemory-disclosurecve-2025-14847unauthenticateddatabasecisa-kevheap-memorycredential-exposurehttps://cipherwatch.io/articles/2026-03-26-cisco-fmc-cve-2026-20131-interlock-zero-day/https://cipherwatch.io/articles/2026-03-26-cisco-fmc-cve-2026-20131-interlock-zero-day/Cisco's Firepower Management Center (FMC) contains a CVSS 10.0 deserialization vulnerability that Interlock ransomware was exploiting as a zero-day for 36 days before Cisco disclosed or patched it. CVE-2026-20131 allows unauthenticated remote attackers to execute arbitrary Java code as root on any internet-exposed FMC appliance. Cisco patched the flaw on 4 March 2026, but unpatched appliances remain under active ransomware targeting.Thu, 26 Mar 2026 00:00:00 GMTciscofirepowerfmczero-daydeserializationrceransomwareinterlockcisa-kevcve-2026-20131firewall-managementhttps://cipherwatch.io/articles/2026-03-25-react2shell-cve-2025-55182-china-nexus-exploitation/https://cipherwatch.io/articles/2026-03-25-react2shell-cve-2025-55182-china-nexus-exploitation/CVE-2025-55182 (React2Shell), a maximum-severity unauthenticated remote code execution vulnerability in React Server Components and Next.js, is being actively exploited by China-state-affiliated threat groups and financially motivated actors simultaneously. Palo Alto Networks has confirmed over 30 organisations breached and 77,000 internet-exposed vulnerable instances, with attackers systematically harvesting AWS credentials, database connection strings, and SSH keys from compromised web infrastructure.Wed, 25 Mar 2026 00:00:00 GMTreactnextjsrceunauthenticatedcve-2025-55182react2shellchina-nexuscredential-theftawsweb-applicationhttps://cipherwatch.io/articles/2026-03-23-ivanti-epm-cve-2026-1603-auth-bypass-cisa-kev/https://cipherwatch.io/articles/2026-03-23-ivanti-epm-cve-2026-1603-auth-bypass-cisa-kev/CISA added CVE-2026-1603, an authentication bypass in Ivanti Endpoint Manager, to the Known Exploited Vulnerabilities catalogue on 9 March with a federal agency patch deadline of 23 March. The flaw allows unauthenticated attackers to bypass authentication entirely and steal Domain Administrator password hashes and service account credentials from EPM's credential vault.Mon, 23 Mar 2026 00:00:00 GMTivantiepmauthentication-bypasscredential-theftcisa-kevcve-2026-1603endpoint-management