Attackers target critical FortiSandbox flaws as CISA issues patch order

Attackers are actively exploiting critical vulnerabilities in Fortinet's FortiSandbox products, prompting CISA to issue a directive mandating patches. Researchers have identified abuse attempts targeting command injection flaws within these devices.

New Windows LegacyHive zero-day gives hackers admin privileges

A new Windows zero-day exploit named LegacyHive has been publicly released by a security researcher. This exploit allows attackers to gain administrative privileges on patched Windows systems. The vulnerability is believed to affect specific Windows components and has been demonstrated to work on the latest Windows versions.

Google fixing Android lock screen bug that lets Gemini send SMS without a PIN

Google is addressing a vulnerability in Android's lock screen that allows the Gemini AI model to send SMS messages without requiring a PIN. A specific multi-touch gesture on the lock screen can bypass the authentication prompt, enabling unauthorized access to the messaging function.

CISA urges immediate action on actively exploited Fortinet flaws

CISA has issued a directive to government agencies, mandating the immediate patching of two critical vulnerabilities found in Fortinet's FortiSandbox threat detection platform. These vulnerabilities are reportedly being actively exploited, underscoring the urgency of the advisory.

CISA Adds Exploited SharePoint RCE Zero-Day CVE-2026-58644 to KEV

CISA has added a critical SharePoint Server remote code execution (RCE) vulnerability, CVE-2026-58644, to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies are mandated to apply the necessary patches by July 19, 2026.

Claude Chrome extension flaw lets malicious extensions trigger AI actions

A flaw in Anthropic's Claude for Chrome browser extension could allow malicious extensions to trigger AI actions by simulating user clicks. This could enable attackers to abuse Claude's access to connected services like Gmail, Google Docs, Google Calendar, and Salesforce.

Zoom patches account takeover hole

Zoom has patched a critical security vulnerability that could allow an unauthenticated user to take over accounts remotely. The company also addressed three other less severe privilege escalation flaws across various Zoom products for Windows. These patches are crucial given Zoom's widespread use in both personal and business environments.

n8n Token Exchange Flaw Could Let Attackers Log In as Users From Another Issuer

The workflow automation platform n8n has a flaw in its token exchange mechanism. On enterprise instances configured with multiple token issuers, the platform incorrectly matches incoming JWTs to local users based solely on the 'sub' claim, ignoring the 'iss' claim. This allows a valid token from one issuer to log a user in as someone else if their 'sub' claim matches a user under a different issuer.

CISA urges immediate SharePoint hardening as exploits mount

CISA has issued an urgent warning and urged organizations to harden their Microsoft SharePoint deployments due to active exploitation of three vulnerabilities. These vulnerabilities, now listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, pose a significant risk, especially for internet-facing instances, potentially allowing attackers initial access to enterprise environments.

CISA Adds Three Known Exploited Vulnerabilities to Catalog

CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. These include two command injection vulnerabilities in Fortinet FortiSandbox OS and a deserialization vulnerability in Microsoft SharePoint. The update reinforces the importance of CISA's Binding Operational Directive (BOD) 26-04 for federal agencies to prioritize remediation of these high-risk vulnerabilities.

NASA Core Flight System (cFS) Health & Safety (HS) Application

A NULL Pointer Dereference vulnerability has been identified in NASA's Core Flight System (cFS) Health & Safety (HS) Application. Successful exploitation could allow an unauthenticated attacker to cause a denial-of-service condition by crashing the application.

SALTO ProAccess Space

SALTO ProAccess Space software versions prior to 6.13 are vulnerable to a privilege escalation attack (CVE-2026-11889) if the partition feature is enabled. Successful exploitation by an authenticated attacker could allow access to spaces outside their assigned partition. A CVSS score of 6.5 has been assigned to this vulnerability.

Rockwell Automation 1756-EN2, 1756-EN3, and 1756-ENBT

Rockwell Automation's 1756-EN2, 1756-EN3, and 1756-ENBT communication modules are affected by a denial-of-service vulnerability due to improper validation of CIP Implicit Connection packets. An attacker could exploit this by sending crafted packets to disrupt device connections.

Rockwell Automation Flex 5000 Adapter

Rockwell Automation Flex 5000 Adapter version 6.011 is affected by a denial-of-service vulnerability (CVE-2026-12659) due to improper handling of crafted CIP packets. Successful exploitation could lead to a denial-of-service condition requiring a power cycle to recover the module.

Rockwell Automation FactoryTalk DataMosaix

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in Rockwell Automation FactoryTalk DataMosaix Private Cloud versions less than or equal to 8.02. Successful exploitation by an authenticated attacker could allow for the injection and permanent storage of malicious scripts on the server, leading to potential account takeover or credential theft when other users access affected pages.

Rockwell Automation Arena

Rockwell Automation Arena has several vulnerabilities, including out-of-bounds writes in the model.exe component, that could allow an attacker to execute arbitrary code. These vulnerabilities affect versions less than or equal to V17.00.00. Rockwell Automation recommends updating to V17.00.01 to mitigate these risks.

Siemens SICAM 8

Siemens SICAM 8 products are affected by multiple vulnerabilities, including an active debug code, initialization of a resource with an insecure default, and unverified password change. These flaws could allow an authenticated attacker to cause denial of service conditions by crashing the web process. Siemens has released updated versions to address these vulnerabilities.

AutomationDirect Productivity Suite

AutomationDirect Productivity Suite versions prior to v4.6.2.2 are vulnerable to multiple security flaws including out-of-bounds writes, out-of-bounds reads, and divide-by-zero errors. Successful exploitation could allow a local attacker with physical access to cause memory corruption, information disclosure, application instability, or denial-of-service conditions.

Windows 10 refuses to die, and the security bill is coming due

Despite reaching its end of support in October 2025, a significant portion of Windows 10 machines remain unmigrated. This continued reliance on an unsupported operating system poses a substantial security risk, as these systems will no longer receive critical security patches.

CISA orders feds to patch actively exploited Oracle flaw by Saturday

CISA has issued a directive ordering federal agencies to patch a critical vulnerability in Oracle E-Business Suite by Saturday due to active exploitation. This vulnerability affects the financial application and poses a significant risk to sensitive government data and operations.

Splunk, Zoom Patch Critical Vulnerabilities

Splunk and Zoom have released patches for critical vulnerabilities that could allow attackers to gain unauthorized access to credentials and data, take over accounts, and escalate privileges. These flaws pose a significant risk to organizations using these platforms.

Unpatched Shark Vacuum Flaw Could Let Attackers Control Other Vacuums Region-Wide

A critical vulnerability in Shark robot vacuums allows attackers to remotely control other vacuums in the same AWS region by extracting the device's certificate. Exploiting this flaw enables attackers to access the vacuum's camera, control its movement, read house maps, and steal Wi-Fi credentials.

F5 Patches Multiple NGINX, BIG-IP Vulnerabilities

F5 has released patches for multiple vulnerabilities affecting its NGINX and BIG-IP products. Attackers could exploit these flaws to modify configurations, terminate or restart processes, bypass security controls, leak memory, and execute arbitrary code.

Old UEFI Shims Expose Systems to Secure Boot Bypass

Vulnerable UEFI shim bootloaders, signed by Microsoft, can be exploited to bypass Secure Boot on any operating system. This vulnerability allows attackers to potentially load malicious code during the boot process, undermining system integrity.

Zoom Patches Critical Windows Flaw That Could Enable Account Takeover

Zoom has released security updates for a critical vulnerability in its Windows client that could allow attackers to take over user accounts. The flaw, CVE-2026-53412, is rated with a CVSS score of 9.8 and affects multiple Zoom Windows applications.

Flaw surge fuels need for CISOs to rethink vulnerability management

Security experts are urging organizations to adopt "just in time" patching and re-evaluate their vulnerability management strategies due to an increasing rate of vulnerability exploitation, which is being amplified by AI tools. The surge in AI-driven vulnerability discovery threatens to overwhelm existing patching processes, exacerbating the gap between vulnerability identification and remediation.

Nightmare Eclipse Drops ‘LegacyHive’ Windows Zero-Day

A researcher has disclosed a Windows zero-day vulnerability named 'LegacyHive' following the 'Nightmare Eclipse' operation. The proof-of-concept exploit has been intentionally limited to prevent immediate widespread exploitation.

CVE-2026-58644: Microsoft SharePoint Deserialization of Untrusted Data Vulnerability

Microsoft SharePoint has a deserialization of untrusted data vulnerability that allows remote code execution by unauthorized attackers. Users are instructed to apply mitigations provided by the vendor, following CISA's guidance on prioritizing security updates and forensic triage requirements.

CVE-2026-25089: Fortinet FortiSandbox OS Command Injection Vulnerability

A critical OS command injection vulnerability (CVE-2026-25089) has been identified in Fortinet FortiSandbox products. An unauthenticated attacker can exploit this flaw via crafted HTTP requests to execute unauthorized commands. Organizations are urged to apply vendor-provided mitigations and adhere to CISA's risk-based patching guidance.

Forgotten Bootloaders Expose Secure Boot Blind Spot

Attackers have exploited a vulnerability in UEFI shim bootloaders, allowing them to bypass Secure Boot protections for years. Nearly a dozen of these vulnerable bootloaders were revoked, but their prior trust created a security blind spot.

Zoom warns of critical account takeover vulnerability

Zoom has issued a warning about a critical vulnerability affecting its desktop client and SDK for Windows. Attackers can exploit this flaw to take over user accounts without authentication. This vulnerability requires users to have Zoom installed and be logged into an account on the affected platform.

Windows 0-day drops the same day Microsoft releases record number of patches

Microsoft has released a record number of patches for its operating systems and other products, addressing 76 vulnerabilities. Concurrently, a zero-day exploit dubbed HiveLegacy has surfaced, which researchers describe as a powerful primitive with the potential for further malicious activities.

Claude Flaw Automatically Sends Malicious Prompts to AI Agents

A vulnerability in Anthropic's Claude AI model, dubbed "PromptFiction," could allow malicious prompts to be automatically sent to AI agents. When combined with another exploit, this flaw could have enabled an end-to-end attack on a targeted system. The vulnerability has since been fixed.

CISA sounds alarm over trio of exploited SharePoint flaws

CISA has issued a warning about three actively exploited vulnerabilities in Microsoft SharePoint. Two of these flaws are rated as critical and could lead to further exploitation. Organizations are urged to apply patches immediately to mitigate the risks.

Unpatched Cursor Vulnerability Exposes Users to Code Execution

A vulnerability in the Cursor code editor allows attackers to execute arbitrary code by creating a malicious repository with a git.exe file in the project root. Cursor automatically executes this file, leading to potential code execution on the user's system.

We built a vulnerability vending machine: AI tokens in, zero-days out

Intruder has developed an AI-powered system, dubbed a "vulnerability vending machine," that automates the discovery of complex software vulnerabilities by integrating code slicing with large language models. The system successfully identified and exploited a previously unknown zero-day vulnerability in a WordPress plugin, with further discoveries being disclosed responsibly.

2-Click Cursor Exploit Enables Dev Environment Takeover

A newly discovered "2-click cursor exploit" leverages fundamental, age-old bugs within development environments to grant attackers access to sensitive developer secrets and source code. This vulnerability can lead to a full takeover of the development environment, posing a significant risk to intellectual property and software integrity.

New Windows Bind Link techniques let attackers evade EDR, security controls

Attackers are leveraging new techniques that abuse Windows Bind Links, a legitimate filesystem virtualization capability, to evade detection by endpoint security tools like EDR, AMSI, and AppLocker. Bitdefender researchers identified three methods – File Binding, Process-Binding, and Silo-Binding – that redirect trusted file paths to malicious ones, allowing malware to execute undetected.

New bugs in Claude for Chrome allow extensions to abuse AI privileges

Researchers have discovered two vulnerabilities in the Claude for Chrome extension that allow malicious browser extensions to trigger privileged actions, such as reading Gmail messages and Google Docs content. These flaws remain exploitable months after being reported, with the affected code appearing unchanged in recent versions.

CISA Adds Two Known Exploited Vulnerabilities to Catalog

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, specifically CVE-2023-4346 and CVE-2026-46817, due to evidence of active exploitation. The article emphasizes the importance of the KEV Catalog for federal agencies in prioritizing security updates based on risk, as mandated by Binding Operational Directive (BOD) 26-04, and encourages all organizations to adopt similar risk-based vulnerability management practices.

Vulnerabilities Patched by Fortinet, Ivanti, ServiceNow

Fortinet, Ivanti, and ServiceNow have released patches for critical vulnerabilities. A significant flaw in ServiceNow's AI platform could enable remote attackers to execute arbitrary code.

Cursor Flaw Lets Malicious Cloned Repositories Trigger Windows Code Execution

A critical flaw has been discovered in the Cursor code editor that allows malicious cloned repositories to execute arbitrary code on Windows. If a repository contains a file named 'git.exe' in its root directory, Cursor will automatically run it without any user interaction, potentially exposing sensitive data and credentials.

CISA warns admins to patch actively exploited SharePoint flaws

CISA has issued a warning regarding three actively exploited vulnerabilities in on-premises SharePoint Server instances. Administrators are urged to patch these flaws immediately to prevent further exploitation by attackers.