Security Articles

Stay ahead of emerging threats with expert analysis from 118 published security articles, vulnerability reports, and cybersecurity insights — updated daily with the latest CVEs, threat actor campaigns, and security advisories. Opening the week of May 18 – May 24, 2026 (Tuesday outlook): the new week kicks off with back-to-back CRITICAL advisories — NGINX rewrite-module flaw CVE-2026-42945 hit active exploitation within days of disclosure on Monday, an 18-year-old bug now sitting on every NGINX-fronted application stack, and Cisco Catalyst SD-WAN CVE-2026-20182 landed Sunday at CVSS 10.0 under active exploitation by UAT-8616 with no workaround. Carrying forward from last week, Microsoft Exchange XSS CVE-2026-42897 remains under active attack with CISA listing in the Known Exploited Vulnerabilities catalog, May 2026 Patch Tuesday's unauthenticated Netlogon and DNS RCE pair stays the priority server-side patch at CVSS 9.8, and Ivanti EPMM CVE-2026-6973 still triggers the 3-day federal deadline for any organization running on-prem mobile device management. If your business depends on an NGINX-fronted application, a Cisco SD-WAN fabric, on-premises Exchange, or Ivanti EPMM, this week's advisories require action today — start with the article-level remediation steps below.

All Articles Advisory Cyber Attack Data Breach Exploit Malware Threat Actor Vulnerability

Severity: All Critical High Medium Low

120 articles found

Featured Story

critical

Apr 30, 2026

criticalCVE AdvisoryVulnerability

CRITICAL: GitHub Enterprise Server RCE via a Single Git Push (CVE-2026-3854)

Wiz researchers disclosed CVE-2026-3854 on April 28, a critical remote code execution flaw in GitHub Enterprise Server that turns a single authenticated git push into full server compromise. Roughly 88 percent of internet-exposed Enterprise Server instances were unpatched at disclosure. GitHub.com and Enterprise Cloud are already fixed, but self-hosted admins must upgrade to 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4, or 3.20.0.

By Danny MercerRead Full Article

high

CVE AdvisoryVulnerability•Apr 29, 2026

HIGH: Storm-1175 Chains ConnectWise ScreenConnect Bugs to Drop Medusa Ransomware (CVE-2024-1708)

CISA added the two-year-old ConnectWise ScreenConnect path traversal flaw CVE-2024-1708 to its Known Exploited Vulnerabilities catalog on April 28, 2026, after China-aligned Storm-1175 was caught chaining it with the SlashAndGrab auth bypass CVE-2024-1709 to deploy Medusa ransomware through compromised MSP infrastructure. Federal agencies have until May 12 to remediate.

high

CVE AdvisoryVulnerability•Apr 28, 2026

HIGH: APT28 Exploits Incomplete Windows Shell Patch for Zero-Click NTLM Theft (CVE-2026-32202)

Microsoft has confirmed active exploitation of CVE-2026-32202, a Windows Shell spoofing flaw that turns out to be an incomplete patch for an APT28 zero-day from earlier this year. The Russian GRU-linked group is using crafted LNK files to silently steal NTLM credentials with zero clicks, and the original April 14 advisory dramatically understated the severity until Microsoft corrected it on April 27.

high

CVE AdvisoryVulnerability•Apr 27, 2026

HIGH: Bitwarden CLI Hit by Shai-Hulud Third Coming Worm in Checkmarx Supply Chain Cascade

A poisoned build of @bitwarden/cli version 2026.4.0 lived on the npm registry for roughly ninety minutes on April 22, 2026, infecting around 334 developer machines with the third generation of the Shai-Hulud worm. The attack chained off the prior compromise of the checkmarx/ast-github-action GitHub Action, harvested cloud credentials, GitHub and npm tokens, and AI coding tool configs, then self-propagated by injecting malicious workflows into accessible repositories.

critical

CVE AdvisoryVulnerability•Apr 26, 2026

ArcaneDoor FIRESTARTER Backdoor Survives Every Cisco Firewall Patch — Federal Networks Still Exposed

The FIRESTARTER implant from the ArcaneDoor campaign persists through Cisco ASA firmware updates on federal networks. CISA and UK NCSC issued a joint advisory with IOCs, detection signatures, and emergency mitigation steps. If you run Cisco Firepower or ASA, check your devices now.

critical

CVE AdvisoryVulnerability•Apr 25, 2026

CRITICAL: FIRESTARTER Backdoor Survives Cisco Firewall Patches in ArcaneDoor Federal Breach

CISA and the UK NCSC went public with a joint advisory on FIRESTARTER, a stealth implant tied to the UAT-4356 ArcaneDoor crew that survived firmware updates and security patches on a Cisco Firepower device inside a federal civilian agency. The malware chains CVE-2025-20333 (CVSS 9.9) and CVE-2025-20362 to gain root on Cisco ASA and FTD appliances, then hooks LINA and persists through reboots until a hard power cycle is performed.

high

CVE AdvisoryVulnerability•Apr 24, 2026

HIGH: LMDeploy CVE-2026-33626 SSRF Exploited Within Hours of Disclosure

A server-side request forgery flaw in the LMDeploy vision-language pipeline was under active exploitation twelve hours and thirty-one minutes after public disclosure, and no upstream patch has shipped yet. Attackers are already probing exposed instances for AWS metadata credentials, Redis on localhost, and loopback services.

high

CVE AdvisoryVulnerability•Apr 23, 2026

HIGH: Apple Patches iOS Notification Bug That Let the FBI Pull Deleted Signal Messages Off an iPhone (CVE-2026-28950)

Apple shipped iOS 26.4.2, iPadOS 26.4.2, iOS 18.7.8, and iPadOS 18.7.8 to fix CVE-2026-28950, a data retention flaw in the Notification Services framework that kept the text of deleted notifications in an internal database. The FBI used the bug to recover Signal message content from a seized iPhone after the Signal app had been deleted. Patch every managed iPhone today and enforce preview redaction on sensitive messaging apps.

critical

CVE AdvisoryVulnerability•Apr 22, 2026

CRITICAL: Microsoft Patches CVSS 9.1 ASP.NET Core Flaw Letting Attackers Forge Authentication Cookies on Linux

Microsoft published an advisory for CVE-2026-40372, a CVSS 9.1 elevation-of-privilege flaw in Microsoft.AspNetCore.DataProtection versions 10.0.0 through 10.0.6 that lets a network-positioned attacker forge authentication cookies and decrypt protected payloads. The bug primarily affects Linux and macOS deployments where the managed authenticated encryptor computes its HMAC tag over the wrong bytes and skips the comparison entirely. Patch to 10.0.7 immediately and rotate the DataProtection key ring if the application was internet-exposed during the vulnerable window.

high

CVE AdvisoryVulnerability•Apr 21, 2026

HIGH: Three Microsoft Defender Zero-Days Chain Into SYSTEM Takeover With Two Still Unpatched

Three zero-day vulnerabilities in Microsoft Defender, nicknamed BlueHammer, RedSun, and UnDefend, are under active exploitation after researcher Chaotic Eclipse dumped working proof-of-concept code. Only BlueHammer (CVE-2026-33825, CVSS 7.8) has been patched. RedSun escalates local users to SYSTEM on fully patched systems while UnDefend silently disables Defender definition updates, making the chained attack especially dangerous until the May 13 Patch Tuesday.

critical

CVE AdvisoryVulnerability•Apr 17, 2026

CRITICAL: Cisco Drops Patches for Four Critical Flaws in ISE and Webex: One Lets Attackers Impersonate Anyone

Cisco released patches for four critical vulnerabilities affecting Identity Services Engine and Webex. CVE-2026-20184 allows unauthenticated attackers to impersonate any Webex user, while three ISE flaws enable remote code execution and root privilege escalation.

critical

CVE AdvisoryVulnerability•Apr 16, 2026

nginx-ui Unauthenticated RCE Gives Attackers Full Web Server Control (CVE-2026-33032)

A critical unauthenticated RCE in nginx-ui lets attackers take over your web server through a single API call. The flaw exists because one MCP endpoint skipped authentication checks entirely. Patch immediately or restrict access to the management interface.

high

CVE AdvisoryVulnerability•Apr 15, 2026

HIGH: Scattered Spider Returns: UK Retail Giants Fall to Social Engineering Blitz

Scattered Spider, the group behind the MGM and Caesars attacks, has hit Marks & Spencer, Co-op, and Harrods in a coordinated campaign deploying DragonForce ransomware. The attacks relied on social engineering help desk staff rather than technical exploits.

critical

CVE AdvisoryVulnerability•Apr 14, 2026

Kubernetes Image Builder Bakes Default SSH Credentials Into Every VM It Creates (CVE-2024-9486)

CVE-2024-9486 (CVSS 9.8) in Kubernetes Image Builder leaves a well-known default SSH password on every VM image it builds. Anyone who knows the builder account password can SSH in and take full control. Check your images and rotate credentials immediately.

high

CVE AdvisoryVulnerability•Apr 13, 2026

HIGH: Your Phone Ads Are Snitching on You: Inside the 500-Million-Device Surveillance Machine

Citizen Lab revealed that law enforcement agencies worldwide are using Webloc, a tool built by Israeli intelligence company Cobwebs Technologies, to track 500 million mobile devices through advertising data without warrants. Clients include ICE, US military, and police departments across America.

high

CVE AdvisoryVulnerability•Apr 12, 2026

HIGH: CPUID Website Breach Spreads STX RAT Through Trojanized CPU-Z and HWMonitor Downloads

The official CPUID website was compromised for 19 hours, redirecting users to malicious downloads of CPU-Z and HWMonitor that delivered STX RAT. Over 150 victims identified across retail, manufacturing, telecom, and individual users in Brazil, Russia, and China.

high

CVE AdvisoryVulnerability•Apr 11, 2026

HIGH: Fortinet Warns of Persistent Access Technique That Survives Even After Patching

Fortinet has disclosed that threat actors are using a symlink-based technique to maintain read-only access to FortiGate devices even after security patches are applied. The method exploits the SSL-VPN language files directory to create persistent filesystem access.

critical

CVE AdvisoryVulnerability•Apr 10, 2026

Smart Slider 3 Pro WordPress Supply Chain Attack: 800K at Risk

Attackers hijacked Smart Slider 3 Pro update system, pushing a backdoor to 800K+ WordPress sites in 6 hours. Creates hidden admins and steals credentials.

critical

CVE AdvisoryVulnerability•Apr 9, 2026

CRITICAL: Adobe Reader Zero-Day Has Been Quietly Pwning Users Since December

A sophisticated zero-day in Adobe Reader has been exploited in the wild since at least December 2025. Malicious PDFs disguised as invoices automatically execute JavaScript to harvest data and download additional payloads. No patch is currently available.

critical

CVE AdvisoryVulnerability•Apr 8, 2026

CRITICAL: North Korea's Contagious Interview Campaign Hits 1,700 Packages Across Five Ecosystems

DPRK-linked threat actors have infected over 1,700 malicious packages across npm, PyPI, Go, Rust, and Packagist since January 2025. The Contagious Interview campaign delivers infostealers and RATs through developer tooling that looks completely legitimate until activated.

Is Your Mobile App Secure?

Our CyberOne MobileAssess platform performs deep static analysis, source code decompilation, and runtime security testing for iOS and Android apps. From one-time assessments to year-long continuous testing, we find what surface-level scanners miss.

Learn About Mobile Pen Testing MSP Partner Program

PreviousPage 2 of 6Next

Stay Informed

Subscribe to our newsletter and get the latest security insights delivered to your inbox.