Active Exploitation of Critical Zero-Days in Microsoft Exchange and Cisco SD-WAN; Windows Flaws Exposed by Public PoCs

Fortinet Releases Patches for Critical Remote Code Execution Vulnerabilities in FortiAuthenticator and FortiSandbox

Fortinet has released urgent security updates to address critical vulnerabilities in its FortiAuthenticator (CVE-2026-44277) and FortiSandbox (CVE-2026-26083) products. The flaws, rated 9.8 and 9.1 respectively, could allow an unauthenticated, remote attacker to execute arbitrary code or commands via crafted HTTP requests. Given the critical nature of these products in enterprise security stacks, administrators are strongly advised to apply the patches immediately to prevent potential compromise.

FortinetFortiAuthenticatorFortiSandboxCVE-2026-44277CVE-2026-26083 +3 more

Critical RCE Flaw in CloudNativePG for Kubernetes Allows Superuser Takeover

Critical Privilege Escalation and RCE Vulnerability (CVE-2026-44477) Disclosed in CloudNativePG Kubernetes Operator

A critical vulnerability, CVE-2026-44477, has been discovered in CloudNativePG, a popular open-source operator for running PostgreSQL on Kubernetes. The flaw, rated 9.4 in severity, allows for privilege escalation to full 'postgres' superuser and subsequent remote code execution (RCE) within the primary database pod. The vulnerability exists in the metrics exporter component. All users are strongly urged to upgrade to the patched versions (1.29.1 and 1.28.3) immediately to prevent potential cluster compromise.

CVE-2026-44477CloudNativePGKubernetesPostgreSQLRCE +2 more

Critical RCE Flaw in CloudNativePG for Kubernetes Allows Superuser Takeover

Russian APT Turla Evolves Kazuar Backdoor into Stealthy P2P Botnet

Turla APT Re-engineers Kazuar Backdoor into Modular Peer-to-Peer Botnet for Enhanced Stealth and Persistence

The Russian state-sponsored threat group Turla has significantly upgraded its Kazuar backdoor, transforming it into a sophisticated, modular peer-to-peer (P2P) botnet. According to Microsoft, this architectural shift is designed to enhance stealth and resilience by decentralizing command and control, making the malware harder to disrupt. The new version isolates tasks, data, and configuration to minimize interaction with external infrastructure, reinforcing Turla's focus on long-term intelligence collection from high-value government, diplomatic, and defense targets.

TurlaKazuarAPTRussiaP2P Botnet +3 more

Russian APT Turla Evolves Kazuar Backdoor into Stealthy P2P Botnet

Sandworm APT Evolves, Targeting Misconfigured Edge Devices for Direct OT Access

Russian APT Sandworm Shifts Tactics to Exploit Misconfigured Edge Devices for Attacks on Critical Infrastructure

The Russian state-sponsored group Sandworm (APT44) is evolving its tactics, moving from traditional IT network intrusions to directly targeting misconfigured edge devices as an entry point into Operational Technology (OT) networks. This shift allows the APT to bypass hardened IT perimeters and gain immediate access to sensitive Industrial Control Systems (ICS). By leveraging vulnerabilities in firewalls, VPNs, and other network appliances at the IT/OT boundary, Sandworm can more rapidly stage attacks against critical infrastructure, highlighting a growing trend of threats against industrial environments.

SandwormAPT44APTRussiaOT Security +3 more

Sandworm APT Evolves, Targeting Misconfigured Edge Devices for Direct OT Access

NIST Finalizes SP 800-172r3, Toughening Security Rules for Controlled Unclassified Information (CUI)

INFORMATIONAL

NIST Releases Final Version of SP 800-172r3, Adding 80 New Controls for Protecting High-Value CUI

The U.S. National Institute of Standards and Technology (NIST) has finalized Special Publication (SP) 800-172r3, which outlines enhanced security requirements for protecting Controlled Unclassified Information (CUI). The updated guidance adds 80 new controls, with a strong emphasis on supply chain risk management, access control, and threat detection. This revision will impose more stringent cybersecurity obligations on government contractors and other organizations that handle CUI in systems associated with high-value assets or critical programs, requiring them to prepare for implementation.

NISTCUISP 800-172r3ComplianceRegulatory +2 more

NIST Finalizes SP 800-172r3, Toughening Security Rules for Controlled Unclassified Information (CUI)

AI-Powered Attacks on Maritime Industry Weaponize Flaws in Under 48 Hours

AI Accelerates Cyberattacks in Maritime Industry, Slashing Vulnerability Weaponization Time, Report Warns

A new report from Cydome highlights the dramatic acceleration of cyber threats against the global maritime industry, driven by attackers using Artificial Intelligence (AI). Up to 60% of newly disclosed software vulnerabilities are now being weaponized within 48 hours, a massive reduction from previous years. This collapse of the security response window leaves ships and onshore infrastructure highly exposed. The report also notes that 83% of phishing emails now use AI to craft more convincing, native-language messages, increasing the risk of insider-enabled breaches in a multinational environment.

AIArtificial IntelligenceMaritime SecurityCyberattackVulnerability Management +2 more

AI-Powered Attacks on Maritime Industry Weaponize Flaws in Under 48 Hours

Updated Articles (5)

Cisco Scrambles to Patch Critical 10.0 CVSS Zero-Day in SD-WAN Under Active Attack

Cisco Warns of Actively Exploited Zero-Day in Catalyst SD-WAN (CVE-2026-20182)

The Canadian Centre for Cyber Security has confirmed active exploitation of CVE-2026-20182, noting attackers have successfully escalated privileges to root. This update also highlights that threat actors continue to exploit older SD-WAN vulnerabilities. Comprehensive new sections on detection, response, and mitigation strategies, including auditing logs, monitoring configuration drift, SSH key auditing, and network baselining, have been provided to help organizations defend against this critical threat. Specific guidance on restricting management access and network segmentation is also included.

CVE-2026-20182Zero-DayCiscoSD-WANAuthentication Bypass +3 more

Cisco Scrambles to Patch Critical 10.0 CVSS Zero-Day in SD-WAN Under Active Attack

Microsoft Exchange Zero-Day Under Active Attack, Mitigations Deployed Automatically

Microsoft Confirms Actively Exploited Zero-Day in Exchange Server (CVE-2026-42897)

The actively exploited Exchange zero-day, CVE-2026-42897, has new technical details. Microsoft confirmed no patch in May 2026 Patch Tuesday. The vulnerability's impact is further detailed, including potential for credential theft, session hijacking, data exfiltration, and broader network intrusions. Crucially, new cyber observables and hunting hints are provided, such as specific URL patterns, IIS log monitoring for script tags, and EDR checks for w3wp.exe spawning cmd.exe or powershell.exe. Detection and mitigation guidance is expanded with more specific actions for EEMS, IIS logs, EDR, and network monitoring.

CVE-2026-42897Microsoft ExchangeZero-DayXSSOWA +2 more

Microsoft Exchange Zero-Day Under Active Attack, Mitigations Deployed Automatically

Belarus-Aligned APT 'FrostyNeighbor' Deploys New JavaScript Loader in Attacks on Poland & Ukraine

Belarusian APT 'FrostyNeighbor' Targets Poland and Ukraine with New Toolkit

The Belarus-aligned FrostyNeighbor (Ghostwriter) APT continues its campaign against Ukrainian government organizations, active since March 2026. ESET has now released specific Indicators of Compromise (IOCs) to aid defenders. The group's geofenced infrastructure performs detailed validation, including IP address and user agent checks, before delivering JavaScript-based payloads. This update provides actionable intelligence for detection and mitigation efforts against this persistent cyber-espionage threat.

FrostyNeighborGhostwriterAPTBelarusUkraine +4 more

Belarus-Aligned APT 'FrostyNeighbor' Deploys New JavaScript Loader in Attacks on Poland & Ukraine

Researcher Drops Two Windows Zero-Days, 'YellowKey' and 'GreenPlasma,' Exposing BitLocker and Escalating Privileges

Researcher Drops Two Unpatched Windows Zero-Day Exploits, "YellowKey" & "GreenPlasma"

The new article provides additional context regarding the YellowKey and GreenPlasma zero-day exploits. It highlights that the PoCs were released immediately after Microsoft's May Patch Tuesday, emphasizing the lack of official patches. The affected server versions for GreenPlasma are updated to include Windows Server 2026. Crucially, the article references the researcher's past disclosure of 'BlueHammer,' which was subsequently exploited, reinforcing the high likelihood of these new exploits being weaponized by threat actors.

Zero-DayWindowsBitLockerPrivilege EscalationYellowKey +3 more

Researcher Drops Two Windows Zero-Days, 'YellowKey' and 'GreenPlasma,' Exposing BitLocker and Escalating Privileges

New 'Rex' Ransomware Emerges, Using Double Extortion and .rex48 Extension

New 'Rex' Ransomware Strain Emerges with Double Extortion Tactics

The latest analysis of Rex Ransomware provides explicit command-line usage for deleting Volume Shadow Copies (vssadmin.exe Delete Shadows /all /quiet), offering a more precise indicator for detection. Additionally, the report expands on MITRE ATT&CK techniques, including T1071.001 (Web Protocols) and T1567 (Exfiltration Over Web Service) for data exfiltration, and T1112 (Modify Registry) for potential persistence. Enhanced detection methods now include specific behavioral monitoring for these commands, and mitigation advice emphasizes immutable offline backups, network segmentation, and least privilege principles.