Skip to content
feed: live about
>_ 0dayNews

0dayNews — Vulnerability & Exploit News

$ kev-tracker --recent

Known Exploited Vulnerabilities

full tracker →
CVE-2026-45659
[ HIGH ] CVSS 8.8 kev

Microsoft SharePoint Server deserialization remote code execution

A high-severity deserialization-of-untrusted-data flaw in on-premises Microsoft SharePoint Server that leads to remote code execution. Patched by Microsoft in the May 2026 security update; added to the CISA Known Exploited Vulnerabilities catalog on July 2, 2026 after confirmed exploitation in the wild.

Microsoft / SharePoint Server (on-premises)
CVE-2026-33825
[ HIGH ] CVSS 7.8 kev

Microsoft Defender Antimalware Platform Local Privilege Escalation (BlueHammer)

A local privilege escalation flaw in Microsoft Defender Antimalware Platform caused by insufficient access-control granularity. An authorized local attacker can elevate privileges. Patched in April 2026 Patch Tuesday, added to the CISA KEV catalog on 2026-04-22, and confirmed by CISA in July 2026 as weaponized in ransomware attacks. Disclosed as a zero-day by researcher "Chaotic Eclipse" (aka Nightmare-Eclipse) alongside two sibling flaws — RedSun and UnDefend — as a protest of Microsoft's disclosure coordination.

Microsoft / Defender Antimalware Platform (versions 4.0.0.0 through before 4.18.26030.3011)
CVE-2024-3400
[ CRITICAL ] CVSS 10.0 kev

Palo Alto Networks PAN-OS GlobalProtect Command Injection Zero-Day

A command-injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS allows an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Exploited in the wild as a zero-day before a patch was available.

Palo Alto Networks / PAN-OS (GlobalProtect gateway/portal)
CVE-2023-46805
[ HIGH ] CVSS 8.2 kev

Ivanti Connect Secure / Policy Secure Authentication Bypass

An authentication-bypass vulnerability in the web component of Ivanti Connect Secure and Policy Secure gateways allows a remote attacker to access restricted resources without credentials. Chained with CVE-2024-21887 for full remote code execution in real-world attacks.

Ivanti / Connect Secure and Policy Secure
CVE-2024-21887
[ CRITICAL ] CVSS 9.1 kev

Ivanti Connect Secure / Policy Secure Command Injection

A command-injection vulnerability in the web components of Ivanti Connect Secure and Policy Secure lets an authenticated administrator send specially crafted requests to execute arbitrary commands. Chained with CVE-2023-46805's auth bypass for unauthenticated RCE in the wild.

Ivanti / Connect Secure and Policy Secure
CVE-2023-20198
[ CRITICAL ] CVSS 10.0 kev

Cisco IOS XE Web UI Privilege Escalation Zero-Day

A privilege-escalation vulnerability in the Web UI feature of Cisco IOS XE Software allows a remote, unauthenticated attacker to create an account with privilege level 15 (full admin) access, enabling full device takeover. Exploited at mass scale against tens of thousands of devices.

Cisco / IOS XE Software
$ latest --more

From the desk

all articles →
~/articles/2026-07-04-kairos-1m-extortion-payment-us-government-ransom-isac
Kairos took $1M from a U.S. government entity — and never encrypted a file
● Breaking
ransomware

Kairos took $1M from a U.S. government entity — and never encrypted a file

Ransom-ISAC's new case study confirms a ~$1M payment (9.44 BTC) to the Kairos crew on June 13, 2025. Krishnan's review found no encryption at any point — data-theft extortion only, tracked in ransomware feeds anyway.

read →
~/articles/2026-07-04-vmware-vcenter-vsphere-client-rce-cve-2021-21972
vCenter's Unrestricted-Upload Bug: A Reminder That Management Planes Shouldn't Face the Internet
Explainer
vmware

vCenter's Unrestricted-Upload Bug: A Reminder That Management Planes Shouldn't Face the Internet

CVE-2021-21972 let unauthenticated attackers execute code with root privileges on VMware vCenter Server — and internet scans found tens of thousands of instances exposed anyway, against VMware's own guidance.

read →
~/articles/2026-07-04-polinrider-108-dprk-packages-contagious-interview
PolinRider: North Korean actors seed 108 malicious packages across four ecosystems
supply chain

PolinRider: North Korean actors seed 108 malicious packages across four ecosystems

The Hacker News reports 108 malicious npm, Packagist, Go, and Chrome extension listings tied to the DPRK Contagious Interview cluster. Here's what a dev shop actually does about it this week.

read →
~/articles/2026-07-04-spring4shell-vmware-spring-framework-rce
Spring4Shell: Why This One Needed Careful Triage, Not Panic
Explainer
vmware

Spring4Shell: Why This One Needed Careful Triage, Not Panic

CVE-2022-22965 leaked publicly before VMware's patch was ready — but unlike Log4Shell, exploitation required a specific combination of conditions that made blanket panic the wrong response.

read →
~/articles/2026-07-04-orchid-iga-ai-agents-lifecycle-gaps
IGA was built around employment records. Agents don't have those.
Analysis
vendor advisory

IGA was built around employment records. Agents don't have those.

A contributed piece to The Hacker News from Orchid Security lays out where the joiner-mover-leaver model quietly fails for AI agents. Vendor-adjacent, but the gap analysis holds.

read →
~/articles/2026-07-04-avalon-crownx-modular-malware-framework
Blackpoint: Avalon framework bundles theft, wiper, and CrownX ransomware
● Breaking
ransomware

Blackpoint: Avalon framework bundles theft, wiper, and CrownX ransomware

Blackpoint Cyber says the previously undocumented Avalon framework combines credential theft, EDR-aware defense evasion, shadow-copy destruction, and the CrownX ransomware payload in one multi-stage phishing chain.

read →