0dayNews — Vulnerability & Exploit News
Known Exploited Vulnerabilities
Microsoft SharePoint Server deserialization remote code execution
A high-severity deserialization-of-untrusted-data flaw in on-premises Microsoft SharePoint Server that leads to remote code execution. Patched by Microsoft in the May 2026 security update; added to the CISA Known Exploited Vulnerabilities catalog on July 2, 2026 after confirmed exploitation in the wild.
Palo Alto Networks PAN-OS GlobalProtect Command Injection Zero-Day
A command-injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS allows an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Exploited in the wild as a zero-day before a patch was available.
Ivanti Connect Secure / Policy Secure Authentication Bypass
An authentication-bypass vulnerability in the web component of Ivanti Connect Secure and Policy Secure gateways allows a remote attacker to access restricted resources without credentials. Chained with CVE-2024-21887 for full remote code execution in real-world attacks.
Ivanti Connect Secure / Policy Secure Command Injection
A command-injection vulnerability in the web components of Ivanti Connect Secure and Policy Secure lets an authenticated administrator send specially crafted requests to execute arbitrary commands. Chained with CVE-2023-46805's auth bypass for unauthenticated RCE in the wild.
Cisco IOS XE Web UI Privilege Escalation Zero-Day
A privilege-escalation vulnerability in the Web UI feature of Cisco IOS XE Software allows a remote, unauthenticated attacker to create an account with privilege level 15 (full admin) access, enabling full device takeover. Exploited at mass scale against tens of thousands of devices.
Citrix Bleed — NetScaler ADC and Gateway Sensitive Information Disclosure
A buffer-overflow vulnerability in Citrix NetScaler ADC and NetScaler Gateway allows attackers to harvest valid session tokens from device memory, hijacking authenticated sessions and bypassing MFA entirely. Widely known as "Citrix Bleed."
From the desk

Spring4Shell: Why This One Needed Careful Triage, Not Panic
CVE-2022-22965 leaked publicly before VMware's patch was ready — but unlike Log4Shell, exploitation required a specific combination of conditions that made blanket panic the wrong response.
Anubis ransomware seen exploiting Citrix Bleed 2 for initial access
The Hacker News reports Anubis-ransomware affiliates using Citrix Bleed 2 (CVE-2025-5777) to breach NetScaler-fronted environments, then pivoting with legit RMM, BYOVD, and stolen supply-chain credentials.

The Confluence Bug That Went From Zero-Day to Mass Ransomware Precursor in Days
CVE-2022-26134 gave unauthenticated attackers remote code execution on any exposed Confluence instance — and became a go-to foothold for ransomware operators within days of disclosure.

FortiOS Auth Bypass: Why Fortinet Warned Select Customers Before Going Public
CVE-2022-40684 let attackers bypass authentication on FortiOS and FortiProxy management interfaces and plant persistent SSH keys — Fortinet quietly warned targeted customers before public disclosure.
Kemp LoadMaster pre-auth RCE (CVE-2026-8037): PoC is out, patch now
A functional proof-of-concept for a critical pre-auth RCE in Progress Kemp LoadMaster hit the internet on June 29 and eSentire started seeing exploitation attempts the same day. Progress's fix has been available since June 4.
FBI seizes NetNut proxy platform, Google degrades Popa botnet
The FBI seized hundreds of NetNut proxy domains on July 2; Google's Threat Intelligence Group, working with FBI and Lumen, cut the linked Popa botnet's usable device pool by millions the same day.
This week's SITREP
Week in Review: Five Zero-Days, One Pattern — Edge Devices Are the Front Line
This week's SITREP: Cisco IOS XE, Citrix Bleed, the Ivanti Connect Secure chain, PAN-OS GlobalProtect, and Outlook's MonikerLink bug — plus what's still active in the CISA KEV catalog and what to watch next.



