Security News.
Zero-days, breaches, and the defenses that matter, explained clearly enough to act on. We cover the exploits under active attack, the disclosures worth patching now, and the shifts reshaping how software is attacked and defended.
Security
AssuranceAmerica Breach Hit 6.9M Driver's Licenses
AssuranceAmerica detected an intrusion on March 17 and began notifying 6.99 million people on July 10, a 115-day gap. Attackers took names, contact details and driver's license numbers, and the company is not offering identity theft protection to those affected.
Security
Cisco UCM SSRF Flaw CVE-2026-20230 Is Under Active Attack
Cisco confirmed attackers are actively exploiting CVE-2026-20230, a server-side request forgery flaw in Unified Communications Manager, and CISA has added it to its Known Exploited Vulnerabilities catalog, starting the federal patch clock.
Security
China-Linked Hackers Exploit Roundcube Flaw at Universities
A China-aligned threat cluster is actively exploiting a critical Roundcube webmail cross-site scripting flaw, CVE-2024-42009 (CVSS 9.3), against U.S. and Canadian universities, using a booby-trapped email that runs script the moment a victim opens it to steal mail and credentials.
Security
BeyondTrust Patches Two Pre-Auth Remote Support Flaws
BeyondTrust patched two critical pre-authentication vulnerabilities, CVE-2026-40138 and CVE-2026-40139 (both CVSS 9.2), in its Remote Support and Privileged Remote Access products. Patch immediately.
Security
Microsoft Patches 570 Flaws, Two Zero-Days Exploited
Microsoft's July 2026 Patch Tuesday fixes a record 570 flaws, including two zero-days already under active attack: CVE-2026-56155 in Active Directory Federation Services and CVE-2026-56164 in SharePoint Server, both privilege-escalation bugs. A third, a BitLocker bypass, was publicly disclosed.
Security
Progress Confirms ShareFile Zero-Day Behind Server Shutdown
Progress confirmed a high-severity path traversal zero-day in ShareFile Storage Zone Controllers is behind last week's emergency server shutdown, and has now shipped a patch. The flaw hits all 5.x and 6.x on-premises controllers; cloud-only ShareFile accounts are unaffected.
Security
OpenAI Mandates Hardware Passkeys for Cyber Access
OpenAI now requires every Trusted Access for Cyber member to enable a hardware-backed passkey by September 1, 2026, or lose access to its frontier cyber models, making the login itself a security control alongside GPT-5.6 Sol.
Security
Three FortiSandbox CVEs Hit by AI-Generated Exploits
Honeypots are catching in-the-wild exploitation of three patched Fortinet FortiSandbox flaws, CVE-2026-39808, CVE-2026-39813, and CVE-2026-25089, and researchers say the exploit code for one of them appears to have been written by an AI model.
Security
Microsoft Rates M365 Copilot and Exchange Bugs Critical
Microsoft disclosed two critical cloud privilege-escalation flaws: CVE-2026-41106 in M365 Copilot (open redirect to privilege escalation) and CVE-2026-54998 in Exchange Online (incorrect authorization), an unusual critical rating for privilege bugs.
Security
Grok Build CLI Secretly Uploads Your Entire Repo to xAI
Wire-level analysis disclosed hours ago shows xAI's Grok Build CLI quietly uploads your whole Git repository, including files it never reads and unredacted secrets, to a Google Cloud bucket, and the privacy toggle does not stop it.
Security
Zimbra Patches Stored-XSS RCE in Classic Web Client
Zimbra urged customers to patch a critical stored cross-site-scripting flaw in its Classic Web Client that lets a specially crafted email run malicious scripts in a victim's session, a bug class attackers have repeatedly turned into full mail-server compromise.
Security
Adobe ColdFusion Patches 11 Critical Bugs, 6 Rated 10.0
Adobe shipped fixes for 11 critical ColdFusion vulnerabilities, six of them carrying the maximum CVSS 10.0 score and all enabling unauthenticated attackers to run arbitrary code on the server. Adobe assigned its highest priority and urged patching within 72 hours.
Security
Injective's npm SDK Was Hijacked to Drain Wallets
Attackers hijacked Injective Labs' SDK GitHub repo and pushed a poisoned npm package with fake telemetry that stole crypto wallet private keys and seed phrases before it was deprecated.
Security
Nightmare Eclipse Dumps 6 Unpatched Microsoft Exploits
A pseudonymous researcher published details and proof-of-concept code for six Microsoft vulnerabilities, including Defender privilege escalations and a Secure Boot bypass, without coordinating with Microsoft.
Security
A CVSS 10 UniFi flaw exposes 100,000 gateways to takeover
CVE-2026-50746 is a maximum-severity command-injection flaw in Ubiquiti's UniFi Connect app that lets an unauthenticated attacker on the network run OS commands on the host; patch to 3.4.20 now.
Security
Gitea Docker flaw CVE-2026-20896 hands over admin access
A CVSS 9.8 flaw in Gitea’s Docker images, CVE-2026-20896, let any internet client impersonate users via a trusted proxy header. Sysdig caught the first in-the-wild exploit 13 days after disclosure.
Security
GhostLock: a 15-year Linux bug hands attackers root
GhostLock (CVE-2026-43499) is a 15-year-old Linux kernel flaw present in nearly every major distribution since 2011 that lets a local attacker escalate to root and escape containers, making patching urgent across servers and clouds.
Security
WinRAR Heap Overflow CVE-2026-14191 Needs a Manual Patch
A new heap overflow in WinRAR, CVE-2026-14191 (CVSS 7.8), lets a booby-trapped RAR5 recovery volume corrupt memory and potentially run code. Because WinRAR has no auto-updater, hundreds of millions of installs stay vulnerable until users patch by hand.
Security
Langflow is the first AI agent platform on CISA's KEV
CISA added Langflow's CVE-2026-55255, a cross-tenant IDOR flaw, to its Known Exploited Vulnerabilities catalog, the first time an AI agent orchestration platform has landed there. Sysdig saw it exploited in the wild to steal LLM and cloud keys; patch to 1.9.2 and rotate every credential.
Security
FortiBleed: Hacked Fortinet Firewalls Fuel a Ransomware Wave
The FortiBleed campaign is turning compromised Fortinet firewalls into ransomware launchpads, with 74,000 stolen credentials for sale and at least 12 confirmed infections tied to the INC and Lynx ransomware crews.
Security
Microsoft Patches RoguePlanet Defender Zero-Day
Microsoft has shipped the fix for RoguePlanet (CVE-2026-50656), the Windows Defender zero-day that let any low-privileged user open a SYSTEM shell on a fully patched Windows 10 or 11 machine. The patch lands inside Malware Protection Engine 1.1.26060.3008 and distributes automatically.
Security
JetBrains Flaws Chain From Login Bypass to Build Takeover
JetBrains patched a cluster of critical flaws across Hub, YouTrack, TeamCity and its IDEs, led by a CVSS 9.8 account-takeover bug in Hub that an attacker can chain into remote code execution and control of a company's build pipeline.
Security
Sysdig logs the first end-to-end AI-agent ransomware
Sysdig documented what it calls the first ransomware attack run end to end by an AI agent, from initial access through encryption, with the model making the operational decisions a human operator normally would. It is a preview of autonomous intrusions, and it collapses the time defenders have to react.
Security
Citrix NetScaler Flaw Echoes CitrixBleed, Exploit Is Out
Citrix disclosed six NetScaler vulnerabilities; CVE-2026-8451 (CVSS 8.8) lets attackers leak memory from SAML identity-provider appliances. Exploit code is public and scanning began within 24 hours.
Security
EU Parliament Fast-Tracks Chat Control in 331-304 Vote
The EU Parliament narrowly approved an urgency motion, 331 to 304, on July 7 to fast-track reviving Chat Control message scanning, setting up a decisive vote on Thursday.
Security
Januscape: a 16-Year KVM Bug Escapes Guest to Host
Januscape (CVE-2026-53359) is a use-after-free in Linux KVM's shadow MMU that lets a guest VM corrupt host kernel memory, the first guest-to-host escape triggerable on both Intel and AMD.
Security
A Windows Device ID Unmasked a Hacker Behind a VPN
A persistent Windows Global Device Identifier, generated at install and impossible to turn off, let the FBI unmask an alleged Scattered Spider hacker who hid behind a VPN and an ngrok tunnel. Microsoft telemetry tied his device to the attack, then to his personal Apple, Snapchat, and Facebook logins.
Security
SimpleHelp Auth-Bypass Flaw Threatens MSPs at CVSS 10
A maximum-severity flaw in SimpleHelp remote-support software, CVE-2026-48558 (CVSS 10.0), lets an unauthenticated attacker forge an identity token and take over a technician session, a supply-chain risk that could cascade from one managed service provider to all its clients.
Security
Bad Epoll Flaw Hands Local Root on Most Linux Systems
A newly disclosed Linux kernel flaw, CVE-2026-46242 in the epoll subsystem, lets any unprivileged local user escalate to root across desktops, servers, and Android. A fix is out, and patching is the only real mitigation.
Security
FatFs Flaws Let a Rigged USB Take Over IoT Devices
Researchers at runZero disclosed seven vulnerabilities in FatFs, a tiny filesystem library baked into the firmware of cameras, drones, industrial controllers, and hardware crypto wallets, where a booby-trapped USB drive or SD card can corrupt memory and run attacker code.
Security
Kemp LoadMaster Bug (CVSS 9.6) Under Active Attack
A critical command-injection flaw in Progress Kemp LoadMaster, CVE-2026-8037 (CVSS 9.6), is being actively exploited to run arbitrary OS commands on internet-facing load balancers, with attacks observed from June 29.
Security
SharePoint RCE Flaw Is Under Active Attack, CISA Warns
CISA added a high-severity Microsoft SharePoint Server flaw, CVE-2026-45659, to its Known Exploited Vulnerabilities catalog on July 2 after confirming active exploitation. The bug is a remote-code-execution hole from unsafe deserialization, patched in May, and every on-prem SharePoint server that skipped that update is exposed.
Security
KDDI Breach Exposes 14M Users, Passwords in Plaintext
KDDI disclosed a breach of its email platform that may have exposed up to 14.22 million customers across six ISPs, and admitted only some passwords were hashed, meaning others sat in plaintext. Shared infrastructure widened the blast radius and weak storage turned it into a credential dump.
Security
DirtyClone Hands Local Root on Default Linux Systems
DirtyClone (CVE-2026-43503) is a Linux kernel flaw that lets any local user escalate to root by cloning network packets, and it works on default Debian, Ubuntu, and Fedora installs with standard namespace configurations.
Security
Oracle PeopleSoft zero-day hit 100+ orgs, breached Nissan
A CVSS 9.8 zero-day in Oracle PeopleSoft (CVE-2026-35273) let the ShinyHunters extortion crew take over 300+ servers at 100+ organizations before Oracle's June 10 emergency patch. The unauthenticated SSRF-to-RCE flaw exposed employee Social Security and banking data at Nissan and hit dozens of universities.
Security
SharePoint RCE Flaw Lands on CISA's Exploited List
CISA added CVE-2026-45659, a CVSS 8.8 remote code execution flaw in Microsoft SharePoint Server, to its Known Exploited Vulnerabilities catalog after confirming active attacks. Any authenticated user can trigger it, with no admin privileges required.
Security
AirDrop and Quick Share Flaws Expose Billions of Phones
Researchers at CISPA disclosed six vulnerabilities in Apple AirDrop and Google and Samsung Quick Share on June 30, 2026, letting an attacker within wireless range crash nearby devices with no pairing or user tap, though the flaws cause denial of service rather than data theft or code execution.
Security
Kemp LoadMaster Pre-Auth RCE Is Now Under Active Attack
CVE-2026-8037 is a pre-authentication remote code execution flaw in Progress Kemp LoadMaster, rated up to CVSS 9.8, that lets an unauthenticated attacker run system commands on the load balancer. Exploitation attempts began June 29, 2026, the same day a public proof-of-concept dropped. Patch now if the API is enabled.
Security
DuneSlide Turns a Cursor Prompt Into Full Code Execution
Cato AI Labs disclosed DuneSlide, two 9.8-severity flaws (CVE-2026-50548 and CVE-2026-50549) that let a poisoned web page or MCP response escape Cursor's AI sandbox and run any command on a developer's machine, no click required.
A PraisonAI Flaw Was Exploited Within Hours of Disclosure
Attackers began hitting the PraisonAI authentication-bypass flaw, CVE-2026-44338, less than four hours after it was publicly disclosed, because a legacy Flask API server shipped with authentication disabled by default.
A 9.8 Oracle E-Business Suite Flaw Is Under Active Attack
CVE-2026-46817, a 9.8-severity unauthenticated takeover flaw in Oracle E-Business Suite's Payments module, is being exploited in the wild, first seen June 27, 2026, six weeks after a patch and before any public exploit existed.
BlueHammer Defender Zero-Day Hit SYSTEM in the Wild
CVE-2026-33825, nicknamed BlueHammer, is a Microsoft Defender flaw that let a low-privileged attacker win SYSTEM by racing Defender's own rollback engine; it was exploited in the wild and later tied to ransomware.
FortiBleed Exposed Credentials for 86,000 Fortinet Firewalls
FortiBleed leaked working admin credentials for roughly 86,000 internet-facing Fortinet firewalls across 194 countries. Because it exploits no software bug, there is nothing to patch: every affected organization must treat its credentials as compromised.
A Cisco Zero-Day Was Exploited for Two Months Before Anyone Knew
Mandiant found that CVE-2026-20245, a high-severity Cisco Catalyst SD-WAN flaw, was exploited as a zero-day at least two months before Cisco disclosed it on June 4, 2026. Patches began rolling out June 10, after attackers already had a long head start.
Microsoft Just Shipped Its Largest Patch Tuesday Ever, and That Is Not Good News
June 2026 was the most patch-dense month in Microsoft history: 200 vulnerabilities in one Patch Tuesday, including six zero-days. A record like this is a symptom, not an achievement.
A Self-Spreading Worm Is Eating the Open-Source Supply Chain. Its Name Is Shai-Hulud.
A self-propagating worm has compromised over 100 npm and PyPI packages in a single June wave, stealing developer credentials and using them to infect more packages. The source code is now public, and clones have arrived.
An Anonymous Account Is Dumping Zero-Days Into the Open. That Should Worry Everyone.
An anonymous GitHub account is mass-publishing working exploits for flaws vendors never got to patch. It is a direct attack on the fragile bargain that keeps software security from becoming a free-for-all.
Security
How Phishing Got Smart Enough to Fool Experts
The cartoon image of phishing, a typo-ridden email from a fake prince, is obsolete. Modern phishing is targeted, polished, and good enough to catch professionals.
Why Software Updates Are a Security Decision, Not a Chore
The notification asking you to update is easy to dismiss for days. Behind that small annoyance is one of the most effective security habits available to anyone.
Security
Why Your Browser Is the Most Important Security Tool You Have
People hunt for security in antivirus apps and gadgets, but the single piece of software that protects you most is the one you stare at all day: your web browser.
Passkeys Are Killing the Password, Finally
After decades of failed attempts to replace the password, a standard called passkeys is actually gaining ground. The reason is that it removes the part humans get wrong.
Security
Why 'Zero Trust' Is More Than a Buzzword
The phrase gets stamped on every security product, which makes it easy to dismiss. The idea underneath is a genuine and overdue shift in how networks are defended.
The Supply-Chain Attack Problem No One Has Solved
You can lock down your own code perfectly and still get breached, through a dependency you trusted. It's modern software's most uncomfortable weakness.
Ransomware Became a Business. Here's the Model.
The image of a lone hacker in a hoodie is badly out of date. Ransomware now runs on org charts, customer support, and affiliate programs.
Stop Reusing Passwords, Here's the Real Risk
Reusing one good password across sites feels safe because the password is strong. The danger isn't the password's strength. It's what happens when any one site is breached.
Security
End-to-End Encryption, Without the Hype
It's the feature privacy advocates demand and some governments want to weaken. Strip away the politics and end-to-end encryption is a simple, powerful idea.
Two-Factor Authentication: Not All Methods Are Equal
Turning on two-factor authentication is one of the best security moves you can make. But the method you choose matters more than most people realize.