Threats Tagged 'patch'

Cloudflare addressed the Copy-Fail vulnerability by developing and deploying patches across all their servers within two days of the CVE disclosure. The rapid mitigation effort highlights Cloudflare's capability to quickly respond to Linux kernel vulnerabilities using custom BPF-LSM patches. No specific affected software versions or exploitation details are provided in the source data.

A high-severity vulnerability (CVE-2025-20701) in the Beats Studio Buds wireless earbuds allowed nearby attackers to pair without user consent and listen through the microphone. The flaw was due to incorrect authorization in the Airoha Bluetooth audio SDK. Apple addressed the issue in Beats Firmware Update 1B211. Exploitation requires only Bluetooth range proximity and no user interaction. This vulnerability was publicly disclosed in June 2025 alongside related flaws in Airoha SoCs. Similar patches were issued by other vendors like Jabra. The flaw enables remote escalation of privilege and potential eavesdropping.

Three recently patched vulnerabilities in Fortinet FortiSandbox are actively targeted in the wild. Two of these vulnerabilities, CVE-2026-39808 and CVE-2026-39813, are rated critical and allow authentication bypass and OS command injection, respectively. A third vulnerability, CVE-2026-25089, patched in June 2026, permits remote unauthenticated command execution. Additionally, over 30,000 Fortinet firewalls have been compromised in a campaign dubbed FortiBleed, exposing networks globally and enabling attackers to harvest credentials for further intrusions. The threat actor uses automated scanning and credential stuffing to propagate access, with indications of targeting defense industry VPNs. Exploits have been observed since June 2026, including AI-generated attempts. Fortinet has issued patches for these vulnerabilities.

Cisco disclosed a zero-day vulnerability (CVE-2026-20262) in Catalyst SD-WAN Manager that allows an attacker with valid credentials and write access to send crafted HTTP requests to an API endpoint, enabling arbitrary file write on the underlying operating system. This vulnerability can be leveraged to escalate privileges to root. Cisco discovered the flaw internally and confirmed limited exploitation in targeted attacks. The vulnerability is considered medium severity by Cisco but is rated critical here due to its exploitation and potential impact. Cisco has released patches addressing this issue. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities catalog, mandating remediation by June 29, 2026. This is one of multiple SD-WAN vulnerabilities exploited in 2026.

Google released an update for Chrome 149 that patches 74 vulnerabilities, including a critical zero-day tracked as CVE-2026-11645. This vulnerability is a high-severity out-of-bounds read/write flaw in the V8 JavaScript engine, which allows remote code execution within the sandbox via a specially crafted HTML page. The zero-day was actively exploited in the wild and reported by an anonymous researcher in late April 2026. This is the fifth Chrome zero-day exploited in 2026, highlighting an ongoing trend of critical vulnerabilities in the browser. Google has awarded the researcher $55,000 for responsible disclosure. The patch fixes this and other critical vulnerabilities, mitigating the risk posed by these exploits.

Cisco has disclosed a critical, unpatched zero-day vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN Manager that is actively exploited in the wild. The flaw allows local attackers with netadmin privileges to perform command injection attacks, leading to root privilege escalation by uploading crafted files. Exploitation requires valid credentials or prior exploitation of related vulnerabilities (CVE-2026-20182 or CVE-2026-20127). The vulnerability affects all deployment types of the product, including on-premises and cloud-managed versions. Cisco has not yet released a patch for this zero-day but advises monitoring for indicators of compromise and engaging Cisco TAC for incident response support. The vendor has released patches for related vulnerabilities but this specific flaw remains unpatched at this time.

Oracle released its first monthly Critical Security Patch Update (CSPU) in May 2026, addressing 77 vulnerabilities across multiple products including Database Server, REST Data Services, Communications, E-Business Suite, and Hospitality Applications. About a dozen of these vulnerabilities are rated critical, with several exploitable remotely without authentication. Oracle's move to monthly patching aims to reduce the window of exposure caused by delayed patch application. The May CSPU is currently available, with subsequent monthly updates planned. Oracle emphasizes that many breaches stem from unpatched known vulnerabilities rather than zero-days. Organizations using Oracle products should prioritize patching especially for Database Server and REST Data Services due to their higher attack surface and remote exploitability.

A critical remote code execution (RCE) vulnerability, tracked as CVE-2026-45659, affects Microsoft SharePoint Server versions including Subscription Edition, 2019, and Enterprise Server 2016. The flaw arises from deserialization of untrusted data, allowing an authenticated attacker with low privileges (Site Member) to execute code remotely over the network. Microsoft has released security updates to address this vulnerability. Although Microsoft assesses exploitation likelihood as low, the vulnerability's nature and SharePoint's history of being targeted warrant prompt patching. No known exploits are currently reported in the wild.

LiteLLM, an AI Gateway used to route requests to multiple large language model providers, ships with a hardcoded master API key 'sk-1234' in its default configuration. This key grants full administrative access, including generating unlimited API keys, reading all stored provider credentials, making inference calls billed to the victim, accessing spend logs, and modifying or deleting models. The default key is present in the . env.example file and referenced directly in docker-compose setups, with no startup validation or forced rotation. The vulnerability remains unpatched as of the latest release (1.86.0). Hundreds of exposed instances with default configurations are publicly accessible, increasing the risk of exploitation. The issue was reported recently and is awaiting vendor response.