// #zero-day
36 articles — page 1 of 2
Oracle PeopleSoft CVE-2026-35273 (CVSS 9.8): ShinyHunters Exploit Zero-Day to Breach University Student Records at Scale
A critical zero-day vulnerability in Oracle PeopleSoft Campus Solutions — CVE-2026-35273, CVSS 9.8 — has been exploited by the ShinyHunters threat group to breach student record systems at multiple universities across the US, UK, and Australia. The flaw allows unauthenticated attackers to bypass authentication in the PeopleSoft web application layer, granting direct access to student enrolment, financial aid, and academic records.
June Patch Tuesday Zero-Days: BitLocker Bypass CVE-2026-50507 and CTFMON Privilege Escalation CVE-2026-45586
Two of June 2026's six publicly disclosed zero-days target security boundaries rather than remote execution: CVE-2026-50507 bypasses BitLocker pre-boot authentication on stolen devices, and CVE-2026-45586 enables local privilege escalation through the Windows Text Services Framework. Both carry named researcher disclosures and appear in active post-exploitation toolkits.
Google Chrome Zero-Day CVE-2026-11645: V8 Out-of-Bounds Write Actively Exploited Before Patch
Google has released Chrome 149.0.7762.95 patching CVE-2026-11645, an out-of-bounds write in the V8 JavaScript engine that was actively exploited before disclosure. CISA has added the flaw to the Known Exploited Vulnerabilities catalogue. All users and enterprise deployments should update immediately — CISA's federal deadline is 30 June.
Microsoft June 2026 Patch Tuesday: 198 CVEs and Six Zero-Days Including Wormable CVSS 9.8 HTTP.sys Flaw
Microsoft's June 2026 Patch Tuesday addresses 198 vulnerabilities across Windows, Office, Azure, and server components — including three CVSS 9.8 critical remote code execution flaws and six publicly disclosed zero-days. HTTP.sys CVE-2026-47291 is wormable, requiring no authentication or user interaction against any Windows Server with IIS or HTTP API exposed.
Android June 2026 Security Update: Zero-Day CVE-2025-48595 Patched Alongside 124 Vulnerabilities
Google's June 2026 Android Security Bulletin patches 124 vulnerabilities including CVE-2025-48595, an integer overflow in the Android Framework with confirmed limited exploitation consistent with nation-state spyware deployment. Enterprise Android fleets should prioritise this update given the zero-day's targeted exploitation pattern.
Zero-Day Response Maturity: Assessing Your Organisation's Capability Against May 2026's Vulnerability Cluster
May 2026 produced multiple simultaneous zero-days and CVSS 9.0+ vulnerabilities with active exploitation. The month serves as an inadvertent assessment of enterprise vulnerability response capability. This framework evaluates response maturity across five dimensions using the month's events as test cases.
MiniPlasma: PoC-Released Windows Zero-Day Exploits Cloud Files Mini Filter Driver for SYSTEM Access
A researcher published a working proof-of-concept for a Windows zero-day — dubbed MiniPlasma — that exploits the Cloud Files Mini Filter Driver to achieve SYSTEM-level access on fully-patched Windows 10, Windows 11, and Windows Server 2022/2025. Microsoft has not issued a patch or an out-of-band advisory. All unmitigated Windows systems with cloud sync enabled are affected.
Hardening Windows Environments When No Patch Exists: Response Architecture for MiniPlasma and Similar Zero-Days
When a working proof-of-concept for a Windows privilege escalation zero-day is public and no vendor patch exists, the defender's playbook shifts from patching to attack surface reduction. Layered controls can meaningfully raise the bar even when the vulnerable component cannot be removed.
CISA Adds Seven to KEV Catalogue — Including Two Active Microsoft Defender Zero-Days Patched via Silent Engine Update
CISA's 20 May Known Exploited Vulnerabilities batch included CVE-2026-41091 (Microsoft Defender for Endpoint EoP, CVSS 7.8) and CVE-2026-45498 (Microsoft Defender DoS, CVSS 4.0), both patched via a silent Defender engine update pushed on 19 May. The batch also included five legacy Windows and Adobe vulnerabilities from 2008–2010 indicating re-exploitation of outdated systems in active campaigns.
Exchange CVE-2026-42897 One Week On: Active Exploitation Continues, No Patch Available — Updated Guidance
Microsoft Exchange Server's OWA session hijacking zero-day CVE-2026-42897 entered its second week without a permanent patch. Microsoft's Emergency Mitigation Service (EEMS) rule remains the only automated protection for Exchange Online-connected on-premises environments. Security teams should now focus on identifying whether exploitation occurred during the disclosure week and verifying their mitigation status.
Pwn2Own Berlin 2026 Closes: DEVCORE Wins Master of Pwn with $505K and 50.5 Points — $1.3M Total Across 47 Zero-Days
Pwn2Own Berlin 2026 concluded with DEVCORE Research Team winning the Master of Pwn title with $505,000 in earnings and 50.5 points, driven by Orange Tsai's Exchange SYSTEM RCE chain and consistent results across multiple targets. The three-day competition produced 47 unique zero-day vulnerabilities across enterprise products, cloud infrastructure, and AI tools, with $1,298,250 in total prize money awarded.
Pwn2Own Demonstrates Second Distinct SharePoint RCE Chain — Five Days After Patch Tuesday Fixed CVE-2026-40365
Researchers at Pwn2Own Berlin 2026 demonstrated a multi-bug SharePoint Server remote code execution chain that is entirely distinct from CVE-2026-40365, the SharePoint RCE patched in the 12 May Patch Tuesday. The new chain, targeting SharePoint's server-side processing pipeline, has no patch and will not receive one for up to 90 days.
Exchange CVE-2026-42897 Threat Hunting Guide: Identifying Session Hijacking in OWA Logs
With no patch available for the actively exploited Exchange OWA session hijacking zero-day, security teams must hunt for existing compromise rather than waiting for a fix. This guide covers the specific log sources, KQL queries, and behavioural indicators that reveal CVE-2026-42897 exploitation in on-premises Exchange and Microsoft 365 hybrid environments.
Pwn2Own Berlin 2026 Day 2: DEVCORE Chains Three Bugs for Exchange SYSTEM RCE — 15 Zero-Days and $385K Awarded
The second day of Pwn2Own Berlin saw DEVCORE's Orange Tsai chain three previously unknown vulnerabilities to achieve SYSTEM-level remote code execution on fully patched Microsoft Exchange Server, earning $200,000. Day 2 also featured Red Hat Enterprise Linux LPE, additional Windows 11 privilege escalation, and LM Studio AI exploitation across 15 unique zero-days.
VMware ESXi Cross-Tenant Code Execution Demonstrated at Pwn2Own Berlin — $200K Prize for Single-Bug Hypervisor Escape
STARLabs SG earned $200,000 at Pwn2Own Berlin 2026 for a single vulnerability enabling cross-tenant code execution on VMware ESXi, allowing code running in one virtual machine to execute in a separate guest VM on the same hypervisor host. The bug has not been assigned a CVE and will not be publicly disclosed for up to 90 days.
Microsoft Exchange Server Zero-Day CVE-2026-42897 Actively Exploited in XSS Attacks — OOB Mitigation Available, No Patch Yet
Microsoft disclosed an actively exploited cross-site scripting zero-day in Exchange Server (CVE-2026-42897) that allows attackers to inject malicious scripts into Outlook Web App sessions, hijack authenticated user sessions, and exfiltrate email content. No patch is available. Microsoft deployed an Emergency Exchange Mitigation Service (EEMS) rule as an interim control while a patch is developed.
Cisco Catalyst SD-WAN CVE-2026-20182 CVSS 10.0 Authentication Bypass Exploited as Zero-Day — Attackers Injecting Rogue SD-WAN Devices
Cisco disclosed a CVSS 10.0 authentication bypass in the Catalyst SD-WAN Manager that has been actively exploited as a zero-day, allowing unauthenticated attackers to inject rogue SD-WAN devices into the management plane and intercept or reroute enterprise WAN traffic. The vulnerability has been added to CISA's Known Exploited Vulnerabilities catalogue with a 72-hour patching deadline for federal agencies.
Pwn2Own Berlin 2026 Day 1: Windows 11 Hacked Three Times, Edge Sandbox Escaped for $175K — 24 Zero-Days Demonstrated
The first day of Pwn2Own Berlin 2026 saw researchers demonstrate 24 previously unknown vulnerabilities across Windows 11, Microsoft Edge, VMware Workstation, and Oracle VirtualBox. Windows 11 was compromised three separate times by different teams, and a full Microsoft Edge sandbox escape earned a $175,000 award. No CVE IDs have been assigned yet as vendors begin the 90-day remediation process.
Windows BitLocker Zero-Day 'YellowKey' Published with PoC — WinRE Bypass Decrypts Protected Drives Without Authentication
Researcher collective Chaotic Eclipse released a proof-of-concept exploit for 'YellowKey,' an unpatched Windows BitLocker bypass that abuses the Windows Recovery Environment to gain access to encrypted drives without the PIN or password. No CVE has been assigned yet and Microsoft has not released a patch. Organisations relying on BitLocker for endpoint data protection should assess their exposure.
Google GTIG Confirms First AI-Developed Zero-Day Used in Active Exploitation — 2FA Bypass via Automated Vulnerability Discovery
Google's Threat Intelligence Group has confirmed the first documented case of a threat actor using AI tools to discover and develop a working zero-day exploit deployed in a live attack campaign. The target was a 2FA bypass in a widely-used open-source web administration tool. A separate China-aligned actor was also found using AI platforms for automated offensive reconnaissance.
Linux 'Dirty Frag' Zero-Day Chains Two Kernel Flaws for Deterministic Root — PoC Published, No Patch
Security researchers have published a proof-of-concept exploit for a new Linux kernel local privilege escalation vulnerability chain nicknamed Dirty Frag, which combines flaws in the xfrm-ESP and RxRPC page-cache subsystems to reliably achieve root access from an unprivileged user process. Unlike its predecessor CopyFail, Dirty Frag is deterministic — it does not rely on race conditions and succeeds reliably across Ubuntu, RHEL, CentOS Stream, AlmaLinux, openSUSE, and Fedora. No CVE ID or kernel patch has been issued at time of disclosure.
PAN-OS CVE-2026-0300 — Unauthenticated RCE Zero-Day Actively Exploited in Firewall Espionage Attacks
A critical unauthenticated remote code execution vulnerability in Palo Alto Networks PAN-OS has been under active exploitation since at least early April 2026, linked to espionage-motivated threat actors targeting government and critical infrastructure networks. CVE-2026-0300 affects the User-ID authentication portal on VM-Series and hardware firewalls; CISA added it to the KEV catalogue on 6 May 2026. Patches are available — apply immediately.
cPanel and WHM CVE-2026-41940 — CVSS 9.8 Authentication Bypass Exploited as Zero-Day Before Patch
CVE-2026-41940, a CVSS 9.8 authentication bypass in cPanel and WHM web hosting control panel software, was exploited in the wild before the vendor issued a patch. All versions from 11.40 onwards are affected. Proof-of-concept code is now public. Web hosting providers, managed service providers, and any organisation running cPanel/WHM for server management should apply the emergency patch immediately.
Anthropic's Claude Mythos AI Discovers Thousands of Zero-Days Across Every Major OS — Project Glasswing Offers Private Access
Anthropic's specialised vulnerability-hunting AI, Claude Mythos, has systematically discovered thousands of zero-day vulnerabilities across Windows, macOS, Linux, and major browsers — including a 17-year-old NFS RCE in FreeBSD and a 27-year-old OpenBSD denial-of-service. Project Glasswing provides private early access to Microsoft, Google, Apple, and select others. The implications for enterprise risk governance are immediate.
Commentary tagged #zero-day
Exchange Keeps Getting Exploited Because We Still Treat Email Infrastructure as Trusted
CVE-2026-42897 is the third actively exploited Exchange zero-day in fourteen months. Each time, the analysis focuses on the specific vulnerability. The more useful question is why email infrastructure continues to receive weaker security monitoring and network controls than VPN gateways and web servers, despite processing more untrusted content than any other enterprise system.
CipherWatch Editorial
Security Intelligence Platform
Pwn2Own Proves the Software Is Breakable. Enterprise Patching Pretends It Isn't.
Pwn2Own Berlin Day 1 saw Windows 11 compromised three separate times, Edge's sandbox escaped, and two hypervisors defeated. Vendors will patch the reported bugs within 90 days. The enterprise response to Pwn2Own results is almost universally: nothing. We treat demonstrated zero-days as vendor problems until they become CVEs, and we treat CVEs as patch management problems until they become incidents.
CipherWatch Editorial
Security Intelligence Platform
The Risk Calculus Changed Today
Google's confirmation of the first AI-developed zero-day used in live exploitation is not a warning about the future. It is a statement about the present. The security industry's habit of treating AI-assisted exploitation as a 'horizon threat' just ran out of runway.
CipherWatch Editorial
Security Intelligence Platform
AI Has Learned to Find Bugs Faster Than We Can Fix Them
Claude Mythos discovering thousands of zero-days confirms what was already theoretically obvious: AI vulnerability research is orders of magnitude faster than human-paced remediation. The industry's response — private disclosure programmes — is a delay mechanism, not a solution to the structural asymmetry between discovery speed and patch deployment speed.
CipherWatch Editorial
Security Intelligence Platform