Week in review

AUSCERT Week in Review for 10th July 2026

Greetings, The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has issued a critical alert following a large-scale cyber campaign targeting vulnerabilities in website content management systems (CMS) across the globe, including Australia. Small and medium-sized businesses have been particularly affected, with attackers actively scanning websites for weaknesses in popular CMS platforms and plugins. According to the ACSC, malicious actors are exploiting known vulnerabilities that enable unauthenticated file uploads, remote code execution and other forms of server compromise. Their primary objective is to deploy webshells, which are malicious scripts that provide remote access and control over web servers. Once installed, webshells can be used to deface websites, steal credentials and sensitive data, distribute additional malware, or provide a foothold for broader network compromise. The campaign is exploiting vulnerabilities in a range of widely used CMS products and plugins, particularly within the WordPress ecosystem, as well as other platforms including Craft CMS, MaxSite CMS, MetInfo CMS and Joomla components. The ACSC noted that this activity highlights the growing cyber threat landscape, with advances in artificial intelligence contributing to faster identification and exploitation of newly disclosed vulnerabilities. Website owners and administrators are being urged to inspect systems for signs of compromise, review logs for suspicious activity, isolate affected servers and restore websites from known-good backups where necessary. The ACSC also recommends prioritising patching, monitoring for unauthorised file creation and restricting file access to reduce the risk of webshell deployment. Organisations should ensure all website software and plugins remain up to date and consider additional controls to detect unusual processes and limit potential movement within corporate networks. Max severity Adobe ColdFusion flaw now exploited in attacks Date: 2026-07-06 Author: Bleeping Computer [Please see AUSCERT Bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.7232/] [AUSCERT has contacted affected members where applicable] Attackers are now exploiting a maximum-severity Adobe ColdFusion vulnerability tracked as CVE-2026-48282, according to vulnerability intelligence company KEVIntel. ColdFusion is a commercial web app development platform designed to help build and deploy enterprise-grade websites. The CVE-2026-48282 security flaw affects ColdFusion versions 2025.9, 2023.20, and earlier, and can be exploited by attackers without privileges to gain remote code execution on unpatched systems. Critical Cursor AI Code Editor Flaws Could Lead to OS-Level Remote Code Execution Date: 2026-07-03 Author: Security Week Two critical vulnerabilities in the popular AI code editor Cursor could lead to remote code execution on the underlying operating system, Cato Networks reports. The security defects are tracked as CVE-2026-50548 and CVE-2026-50549 (CVSS score of 9.8) and are referred to as DuneSlide, given that they lead to remote code execution (RCE) outside of the IDE’s sandbox. According to Cato, the flaws abuse Cursor’s automatic terminal command execution inside the sandbox, which does not prompt the user for approval, and can be triggered when a victim prompts the IDE to ingest an attacker-controlled payload. BeyondTrust warns of critical flaws in remote access software Date: 2026-07-07 Author: Bleeping Computer BeyondTrust warned customers to patch two critical security flaws in its Remote Support (RS) and Privileged Remote Access (PRA) software that could allow attackers to bypass authentication. The first vulnerability, tracked as CVE-2026-40138, affects the company's RS remote desktop and assistance platform (versions 25.3.2 or earlier) and the PRA enterprise cybersecurity solution (versions 25.3.2 or earlier). This vulnerability stems from an improper authentication weakness in the authentication subsystem, and successful exploitation enables attackers without privileges to bypass access controls and access targeted appliances, including accounts with elevated privileges. Critical Gitea Flaw Under Active Exploitation, Researchers Warn Date: 2026-07-07 Author: Security Week Threat actors are exploiting a vulnerability in Gitea’s reverse-proxy authentication mechanism to access internet-accessible instances by supplying only a valid username. Specific to Gitea’s official Docker images, the critical-severity security defect is tracked as CVE-2026-20896 (CVSS score of 9.8) and can be exploited with a single HTTP header, Sysdig Sr. Director of Threat Research Michael Clark says. The issue exists because, in Gitea Docker images before 1.26.3, the default settings allow connections from any source IP address instead of enforcing an allowlist, security researcher Ali Mustafa, who was credited for finding the bug, explains. Suspected China-Aligned Hackers Exploit Roundcube Flaws Against Universities Date: 2026-07-07 Author: The Hacker News A suspected China-aligned threat activity cluster has been observed exploiting Roundcube webmail software belonging to physics and engineering departments of U.S. and Canadian universities as part of a new campaign. The activity involves the exploitation of now-patched, critical security flaws in the open-source email solution, such as CVE-2024-42009 (CVSS score: 9.3), to siphon credentials, followed by either the deployment of a web shell for persistent access or a known post-exploitation tool called VShell. ASB-2026.0125 – ALERT CMS and Plugins: CVSS (Max): 10.0* ACSC has published a critical alert warning of a large-scale campaign actively exploiting vulnerabilities in multiple CMS platforms to compromise websites, urging organisations to patch affected systems and check for signs of compromise. ESB-2026.7592 – IBM MQ container software: CVSS (Max): 10.0 IBM has released updates to fix multiple vulnerabilities affecting IBM MQ Operator and Queue manager container images. The update addresses security issues including Improper Privilege Management, Exposure of Sensitive Information to an Unauthorized Actor, and Improper Validation of Integrity Check Value in components such as OpenSSL, WebSphere Application Server Liberty, and Java SE. ESB-2026.7596 – ALERT Palo Alto Prisma Browser: CVSS (Max): 9.6* Palo Alto Networks has incorporated Chromium security fixes into its products. These fixes are included in Google’s Chrome 150 release, which addresses 433 security fixes, including 20 Critical vulnerabilities affecting components such as Browser, V8, ANGLE, Skia, Blink, and FileSystem. ESB-2026.7647 – ALERT Juniper Networks CTPView: CVSS (Max): 10.0 Juniper Networks has released CTPView 9.3R2-3, addressing multiple vulnerabilities. Juniper SIRT is not aware of any malicious exploitation, and no workarounds are available. ESB-2026.7681 – OpenPLC v3: CVSS (Max): 9.9 Successful exploitation of this vulnerability could allow an authenticated attacker to write arbitrary files to the filesystem. Through the standard OpenPLC program compilation process, this may be escalated to arbitrary native code execution, potentially resulting in code execution as the OpenPLC runtime user. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 3rd July 2026

Greetings, Citrix has released patches for six vulnerabilities affecting NetScaler ADC and NetScaler Gateway appliances, but industry attention is firmly focused on CVE-2026-8451, a high-severity memory disclosure flaw that researchers say belongs to the same family of vulnerabilities as the infamous “CitrixBleed” attacks that have plagued organisations in recent years. The flaw carries a CVSS score of 8.8 and impacts NetScaler deployments configured as a SAML Identity Provider, a common setup for single sign-on environments. The vulnerability was discovered by security researchers at watchTowr while they were analysing another NetScaler issue disclosed earlier this year. According to the researchers, CVE-2026-8451 stems from insufficient input validation in the way NetScaler processes SAML authentication requests, creating an out-of-bounds memory read condition that could allow sensitive data to be exposed before authentication. In its analysis, watchTowr argued that the issue highlights a broader pattern of memory management weaknesses within NetScaler appliances. The researchers noted that similar memory disclosure vulnerabilities have repeatedly emerged in the product line, leading them to dub the latest flaw “CitrixBleed To Infinity And Beyond.” While there is currently no public evidence that CVE-2026-8451 is being actively exploited, security teams are taking the issue seriously. A closely related NetScaler vulnerability disclosed in March 2026 was exploited in the wild shortly after publication and was subsequently added to CISA’s Known Exploited Vulnerabilities catalogue. Organisations running affected NetScaler versions are strongly encouraged to apply Citrix’s latest updates as soon as possible and review vendor guidance for any additional mitigation steps. Critical SimpleHelp flaw exploited to deploy new stealer malware Date: 2026-06-29 Author: bleepingcomputer Hackers are exploiting a recently disclosed critical vulnerability (CVE-2026-48558) in SimpleHelp to deploy Djinn Stealer, a previously undocumented cross-platform information stealer targeting Windows, macOS, and Linux. The SimpleHelp platform is primarily used by managed service providers (MSPs), IT departments, helpdesks, and system administrators for remote monitoring and management (RMM). Hackers now exploit critical Oracle E-Business flaw in attacks Date: 2026-06-29 Author: Bleeping Computer [See also AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.5874/] [AUSCERT has contacted affected members where applicable] Attackers have begun exploiting a critical vulnerability (tracked as CVE-2026-46817) in the Oracle E-Business Suite (EBS) financial application, according to threat intelligence company Defused. This security flaw was found in the File Transmission component of EBS's Oracle Payments product and enables unauthenticated malicious actors with HTTP network access to take over vulnerable systems through low-complexity attacks. Anonymous researcher drops 0-day 'exploitarium' repo Date: 2026-06-29 Author: The Register [AUSCERT has published security bulletins for CVE-2026-55200] Not everyone is willing to follow responsible disclosure of vulns. An anonymous researcher has dumped what they say is working exploit code for zero-day vulnerabilities across 15 software products and open source projects without notifying any vendors or maintainers prior to publishing – and attackers are already exploiting at least two of these. The first is CVE-2026-55200, a critical, pre-authentication remote code execution (RCE) vulnerability in libssh2, a popular client-side C library that implements the SSH2 protocol. DirtyClone: A Linux Privilege Escalation That Leaves No Trace on DiskDirtyClone: Fourth Linux Kernel Flaw in Six Weeks Escalates to Root Date: 2026-06-27 Author: Security Affairs DirtyClone: a Linux kernel privilege escalation that silently rewrites executables in memory, leaving no disk trace. Patch now. JFrog Security Research published a working exploit walkthrough on June 25 for CVE-2026-43503 (CVSS score of 8.8), a Linux kernel privilege escalation they call DirtyClone. It’s the fourth vulnerability in the DirtyFrag family, all sharing the same root failure: file-backed memory gets treated as packet data, and an in-place network operation writes where it should have copied. CVSSIf your kernel doesn’t have the May 21 mainline patch, update now. CISA: Windows BlueHammer flaw now exploited by ransomware gangs Date: 2026-06-30 Author: Bleeping Computer CISA confirmed on Monday that ransomware gangs have begun exploiting a high-severity Microsoft Defender privilege escalation vulnerability that has previously been abused in zero-day attacks. Dubbed BlueHammer, the security flaw (CVE-2026-33825) was leaked by a security researcher known as "Nightmare Eclipse" in early April, together with proof-of-concept exploit code, in protest at how the Microsoft Security Response Center (MSRC) handles the disclosure process. ESB-2026.7189 – Apple iOS and iPadOS: CVSS (Max): 8.8* Apple has released updates for iOS and iPadOS to address multiple vulnerabilities affecting Kernel, WebKit, WebRTC, and other components, including issues that may allow unexpected system termination, cross-origin data exposure, and sensitive information disclosure. ESB-2026.7232 – Adobe ColdFusion: CVSS (Max): 10.0 Adobe has released security updates for ColdFusion versions 2025 and 2023 to address multiple critical and important vulnerabilities. These vulnerabilities could allow arbitrary code execution, privilege escalation, unauthorized file system access, and security feature bypass. ESB-2026.7296 – NetScaler ADC and NetScaler Gateway: CVSS (Max): 8.8 Multiple vulnerabilities have been identified in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Cloud Software Group strongly recommends updating as soon as possible. ESB-2026.7324 – Splunk: CVSS (Max): 9.8 Splunk has remediated multiple Common Vulnerabilities and Exposures (CVEs) affecting third-party packages included in Python for Scientific Computing version 4.3.2 and later. ESB-2026.7358 – IBM MQ for HPE NonStop: CVSS (Max): 9.8 IBM MQ for HPE NonStop is affected by multiple OpenSSL vulnerabilities, including CVE-2026-31789. The most severe issue may lead to a heap buffer overflow when processing specially crafted X.509 certificates, potentially resulting in a crash or code execution. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Blogs

Strengthening Cyber Resilience in the Pacific: AUSCERT’s Ongoing Commitment

Earlier this year, AUSCERT designed and facilitated customised tabletop exercises for two higher education institutions in the Pacific. These engagements built on the cyber security training courses previously delivered by AUSCERT to micro businesses in Fiji and Papua New Guinea throughout 2025. Our collaboration with Pacific Adventist University (PAU) in Papua New Guinea and a university in Fiji reflects AUSCERT’s continued commitment to strengthening cyber security capabilities across the region. Cyber threats are increasingly global in nature, but their impacts are often felt most acutely at the local level. Recognising this, AUSCERT has been working closely with universities in the Pacific region to build practical, sustainable cyber resilience. Through tailored exercises and training, we aim to empower institutions with the knowledge, skills and confidence needed to respond effectively to evolving threats. AUSCERT’s Tabletop Exercise service is a strong example of this collaborative approach, as key stakeholders were brought together within PAU to simulate a realistic cyber incident scenario. Participants were challenged to test their response processes, communication channels, and decision-making under pressure in a safe and controlled environment. Participants from both universities received a detailed After Action Report, a key component of AUSCERT’s capability-building approach. This report captured our observations from the exercise and provided targeted and actionable recommendations to strengthen future incident response efforts. PAU shared the following feedback on the experience: “AUSCERT delivered a professional and well-structured tabletop exercise for Pacific Adventist University. The scenario design was relevant, thoughtfully developed, and facilitated in a manner that encouraged meaningful participation across all stakeholders. AUSCERT demonstrated expertise, ensuring the session remained both engaging and instructive”. The accompanying After Action Report was comprehensive and insightful, clearly outlining areas for improvement and providing practical recommendations to enhance our preparedness and strengthen our organisational resilience. This engagement has significantly contributed to PAU’s capability uplift, and we sincerely value AUSCERT’s partnership.” Extending Support Across the Region Alongside the tabletop exercises, AUSCERT delivered a series of online cyber security training sessions for micro businesses in Fiji and Papua New Guinea. The training focused on building cyber security awareness, strengthening practical cyber hygiene, and improving participants’ confidence in recognising and responding to common cyber threats. Building a Stronger Global Cyber Community AUSCERT’s work in the Pacific forms part of a broader mission to foster a connected, collaborative global cyber community. We believe that sharing knowledge, experience, and best practices across borders is essential to addressing the collective challenges of cyber security. We are proud to support our partners in the Pacific and look forward to continuing this collaboration to help strengthen cyber resilience across the region and beyond.

Learn more

Week in review

AUSCERT Week in Review for 26th June 2026

Greetings, Global cyber security leaders are urging organisations to rethink their approach to risk as AI rapidly reshapes both the scale and speed of cyber attacks. In a joint statement, the Five Eyes alliance, comprising Australia, the United States, the United Kingdom, Canada and New Zealand, has warned that the impact of frontier AI models will be felt far sooner than many organisations expect. According to the advisory, these next-generation systems are poised to transform offensive and defensive cyber capabilities “within months, not years,” dramatically reducing the time between discovering and exploiting vulnerabilities. This acceleration is lowering barriers to entry for malicious actors, enabling less sophisticated attackers to launch complex, high-impact operations with increasing efficiency. Coverage from The Record reinforces this message, highlighting growing government concern that powerful AI tools can already identify and exploit software flaws at a pace that exceeds human response. In some cases, advanced models have demonstrated an ability to uncover vulnerabilities and generate exploit pathways in hours, intensifying fears that cyber defences may struggle to keep up. Despite the urgency, the Five Eyes agencies emphasise that the fundamentals of cyber security remain critical. Their guidance focuses on strengthening baseline practices such as rapid patching, reducing system exposure, improving identity controls and preparing thoroughly for inevitable breaches. They also stress that cyber risk is now a core organisational risk, rather than a purely technical issue, requiring strategy and leadership accountability. Importantly, the statement balances its warning with opportunity. While adversaries are already leveraging AI, organisations are urged to adopt the same technologies to enhance detection, improve resilience and respond more quickly to incidents. This message serves as an important reminder that AI is a present and accelerating force. Organisations that act decisively now will be better positioned to manage emerging risks, while those that delay may face growing operational, financial and reputational consequences. Splunk Enterprise Vulnerability Exploited in Attacks Days After Disclosure Date: 2026-06-19 Author: Security Week A critical Splunk Enterprise vulnerability is being exploited in attacks only days after its public disclosure, and organizations have been urged to patch it immediately. The vulnerability is tracked as CVE-2026-20253 and Splunk’s advisory says it can be exploited by an unauthenticated attacker to create or truncate arbitrary files via a PostgreSQL sidecar service endpoint. “The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials,” Splunk said in its advisory. Cisco Unified CM flaw CVE-2026-20230 now exploited in attacks Date: 2026-06-23 Author: Bleeping Computer [See AUSCERT Bulletin https://portal.auscert.org.au/bulletins/ESB-2026.6126] A high-severity SSRF vulnerability, tracked as CVE-2026-20230, in Cisco Unified Communications Manager Server is now being exploited in attacks. Cisco released security updates for the CVE-2026-20230 flaw on June 3, warning that exploitation could give attackers root privileges on the device. "A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct server-side request forgery (SSRF) attacks through an affected device," warned Cisco. ASD to retire Essential Eight cyber security framework within next two years Date: 2026-06-24 Author: iTnews Its replacement reflects a changing reality for security teams. The Australian Signals Directorate intends to retire its Essential Eight guidance framework within two years, to keep up with shifting cyber security sands. Replacing Essential Eight will be a broader "Essentials" series designed to cover enterprise IT, cloud, operational technology, and potentially agentic artificial intelligence (AI) as distinct security domains. 15,000 WordPress Websites Cleaned Up in SocGholish Botnet Takedown Date: 2026-06-19 Author: Security Week [AUSCERT have contacted the potentially impacted members via email] Law enforcement agencies in four countries, working with Europol and private partners, have disrupted SocGholish infrastructure and cleaned up nearly 15,000 infected WordPress websites. Active since 2017 and also known as FakeUpdates, SocGholish is a malware framework injected into websites running popular content management systems, such as WordPress, Joomla, and Drupal, either via known vulnerabilities or stolen credentials. FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation Date: 2026-06-23 Author: The Hacker News A Russian-speaking initial access broker (IAB) driven by financial gain is assessed to be behind a large-scale credential-harvesting operation known as FortiBleed that has targeted over 430,000 FortiGate firewalls globally. The campaign, active since February 2026, involves collecting credential lists, searching for exposed services, brute-forcing accessible systems, and deploying bespoke sniffers on compromised firewalls. "Once deployed, these sniffers capture cleartext and hashed credentials from traffic passing through compromised devices," SOCRadar said [PDF] in a fresh report. "The actors then crack, validate, and reuse the credentials against Active Directory domains and other exposed services." ESB-2026.6227.3 – Cisco Catalyst SD-WAN Manager: CVSS (Max): 10.0 A severe vulnerability allowed an authenticated, local attacker to execute arbitrary commands as root via a crafted file into the affected system. Cisco has released updates that address this issue. ESB-2026.6871 – MISP: CVSS (Max): 9.4 This MISP update addresses two RCE vectors, an authentication hardening issue and various fixes across the controller layer. Upgrading is strongly recommended. ESB-2026.6891 – IBM MQ container software: CVSS (Max): 10.0* IBM MQ Operator and Queue Manager container images had multiple severe vulnerabilities addressed. IBM strongly recommends applying the latest container images. ESB-2026.6951 – Tenable Identity Exposure: CVSS (Max): 9.9 Several third party components of Tenable Identity Exposure were found to contain numerous vulnerabilities. Updated/patched versions have been provided by the respective vendors to address reported vulnerabilities. ESB-2026.7052 – chromium: CVSS (Max): 9.6* Execution of arbitrary code, denial of service and information disclosure were security issues recently discovered in Chromium. These issues have been addressed in version 149.0.7827.196-1~deb13u1. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 19th June 2026

Greetings, A newly uncovered data exposure incident dubbed “FortiBleed” has revealed a large number of Fortinet VPN credentials tied to organisations worldwide. The dataset contains usernames, email addresses, and plaintext passwords linked to more than 73,000 firewall devices across 194 countries, spanning industries from telecommunications and finance to government and manufacturing. The scale and sophistication of the operation suggest a highly organised campaign. Analysis indicates attackers carried out billions of login attempts against hundreds of thousands of systems, harvesting and cracking authentication data using advanced computing resources. The resulting database catalogued verified credentials as well as contextual details such as company size and industry, which is likely intended to help prioritise high-value targets. Independent researchers have validated portions of the leaked data, confirming that at least some credentials are authentic and recent. Many of the affected devices remain accessible online, amplifying the potential risk. Experts believe the information may have originated from exported Fortinet configuration files, though it is still unclear whether the exact source was a new vulnerability or previously compromised data. Despite the severity, Fortinet has stated that the leak does not stem from a newly identified flaw, but rather from a combination of past incidents and credential harvesting techniques such as brute-force attacks. Organisations who appear in the dataset are urged to immediately reset passwords linked to Fortinet VPN and administrative systems, implement multi-factor authentication, review gateway logs for any signs of suspicious activity, and keep a close watch for compromised employee credentials. Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication Date: 2026-06-13 Author: The Hacker News [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.6480] Splunk has released security updates to address a critical security flaw in Splunk Enterprise that could be exploited to conduct unauthenticated file operations and even remote code execution. The vulnerability, tracked as CVE-2026-20253, is rated 9.8 on the CVSS scoring system. "In Splunk Enterprise versions below 10.2.4 and 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint," Splunk said in an alert this week. Cisco fixes SD-WAN vManage flaw exploited in zero-day attacks Date: 2026-06-15 Author: Bleeping Computer [See also AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.6638/] Cisco has released security updates to address a vulnerability in the Catalyst SD-WAN Manager, tracked as CVE-2026-20262, that was exploited in attacks to escalate to root privileges. Formerly known as SD-WAN vManage, this network management software allows admins to manage up to 6,000 SD-WAN devices from a single dashboard. The now-patched zero-day security flaw affects all deployment types, regardless of device configuration, including on-prem deployments, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP). Oracle’s Second Monthly Security Updates Deliver 245 Patches Date: 2026-06-17 Author: Security Week [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.6735/] Oracle on Tuesday announced the release of its June 2026 Critical Security Patch Update (CSPU), the second since it began releasing monthly patches. The company still releases its quarterly Critical Patch Updates, but it recently decided to supplement them with monthly patches to address more severe vulnerabilities. The software giant said the latest round of CSPU updates delivers 245 new patches, including for Communications, E-Business Suite, Enterprise Manager, Fusion Middleware, JD Edwards, MySQL, PeopleSoft, Siebel CRM, Supply Chain, Systems, and Virtualization products. Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw Date: 2026-06-15 Author: The Hacker News [AUSCERT has shared IoCs related to CVE-2026-0257 via its MISP instance] Palo Alto Networks has revealed that it has observed "active exploitation" of a recently disclosed PAN-OS vulnerability by an unknown threat actor to obtain unauthorized access to GlobalProtect portals. The vulnerability in question is CVE-2026-0257 (CVSS score: 7.8), an authentication bypass flaw affecting the portal and gateway components of PAN-OS software that could be exploited by bad actors to set up VPN connections. According to the network security company, the security defect could be exploited by a bad actor to bypass security controls and initiate VPN connections. FortiBleed leak exposes Fortinet VPN credentials for 73,000 devices. Date: 2026-06-18 Author: Bleeping Computer [AUSCERT have contacted the potentially impacted members via email] A newly discovered data leak dubbed "FortiBleed" has exposed what appears to be a collection of Fortinet and FortiGate VPN credentials for 73,932 firewall URLs at organizations worldwide. The exposed data was first discovered by security researcher Bob Diachenko, who says he found a server containing what appeared to be valid Fortinet VPN credentials, including usernames, email addresses, and plaintext passwords. ESB-2026.6674 – Firefox 152: CVSS (Max): 9.1* Mozilla released the Firefox 152 update addressing multiple security vulnerabilities. The fixes include memory safety bugs, sandbox escapes, privilege escalation vulnerabilities, and other security issues across browser components ESB-2026.6681 – Atlassian Products: CVSS (Max): 10 Atlassian has released product versions over the past month that fix 76 high-severity vulnerabilities and 24 critical-severity third-party vulnerabilities. ESB-2026.6735 – Oracle Products: CVSS (Max): 9.8* The June 2026 Critical Security Patch Update contains 245 new security patches across multiple Oracle product families. It includes Oracle PeopleSoft PeopleTools and Oracle PeopleSoft Enterprise Applications patches addressing CVE-2026-35273. ESB-2026.6778 – Cisco Identity Services Engine: CVSS (Max): 9.1 Cisco has released software updates addressing multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC). These vulnerabilities could allow a remote attacker to achieve remote code execution or disclose information on affected devices. ESB-2026.6796 – NGINX: CVSS (Max): 8.1 F5 has released updates for affected products to address a vulnerability in NGINX Open Source. The issue may allow a remote unauthenticated attacker to trigger a use-after-free condition via a specially crafted HTTP/3 session, potentially leading to denial of service or code execution under certain conditions. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 12th June 2026

Greetings, Oracle has issued an urgent security advisory addressing a critical vulnerability in its widely used PeopleSoft platform, amid growing concerns that the flaw may already be exploited in real-world attacks. The vulnerability, tracked as CVE-2026-35273, affects PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62 and could allow unauthenticated attackers to remotely execute code on affected systems. As PeopleSoft supports essential business functions such as HR, payroll, finance, and supply chain operations, potential impact of such a flaw is significant for large organisations globally. While Oracle has released mitigation guidance, it has yet to provide a full patch. The company has also not confirmed whether the vulnerability is being actively exploited as a zero-day, though it has strongly urged customers to follow its guidance immediately to reduce risk. Concern has been heightened by reports linking the issue to activity from the cybercriminal group ShinyHunters. The group has claimed to have targeted hundreds of PeopleSoft instances across more than 100 organisations, allegedly combining previously known flaws with zero-day vulnerabilities to access sensitive data. Security researchers have observed at least some level of exploitation, reinforcing the urgency of the situation. The education sector appears particularly affected, with institutions such as the University of Nottingham confirming data breaches linked to the campaign. This latest development highlights the ongoing risks facing enterprise software environments and highlights the importance of timely mitigation, monitoring and rapid response capabilities. Organisations relying on PeopleSoft are being advised to prioritise Oracle’s recommendations as investigations continue and more details emerge. Cisco warns of unpatched SD-WAN zero-day exploited in attacks Date: 2026-06-05 Author: Bleeping Computer [See AUSCERT bulletin https://portal.auscert.org.au/bulletins/ESB-2026.6227.2/] On Thursday, Cisco warned of a high-severity, unpatched zero-day in the Cisco Catalyst SD-WAN Manager (tracked as CVE-2026-20245) actively exploited in attacks enabling root privilege escalation. The zero-day flaw impacts all deployment types, including On-Prem Deployment, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP). CISA Adds Actively Exploited SolarWinds Serv-U DoS Flaw to KEV Catalog Date: 2026-06-06 Author: The Hacker News The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity security flaw impacting SolarWinds Serv-U multi-protocol file server software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2026-28318 (CVSS score: 7.5), is a denial-of-service (DoS) bug that causes the service to crash under certain conditions. CISA described it as an uncontrolled resource consumption vulnerability that results in a DoS condition. Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities Date: 2026-06-10 Author: The Hacker News [AUSCERT has published relevant security bulletins] Fortinet, Ivanti, and SAP have released security updates to address multiple critical security vulnerabilities that could result in arbitrary code execution and information disclosure. The security flaw patched by Fortinet relates to a command injection vulnerability in FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI. It's tracked as CVE-2026-25089 (CVSS score: 9.1). Veeam Backup & Replication RCE Flaw Lets Domain Users Run Remote Code Date: 2026-06-09 Author: The Hacker News [AUSCERT has contacted affected members where applicable] Veeam has released security patches to address a critical flaw in its Backup & Replication software that could result in remote code execution. Tracked as CVE-2026-44963, the vulnerability carries a CVSS score of 9.4 out of a maximum of 10.0. "A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user," Veeam said in a Tuesday advisory. Oracle PeopleSoft servers hacked in ShinyHunters data theft attacks Date: 2026-06-10 Author: Bleeping Computer [AUSCERT has published a relevant security bulletin – https://portal.auscert.org.au/bulletins/ASB-2026.0123/] Oracle PeopleSoft servers are being targeted in ongoing data theft attacks by the ShinyHunters extortion gang, which claims to have stolen data from over 100 organizations. PeopleSoft is an enterprise business software suite used by large organizations to manage business operations such as human resources, payroll, finance, supply chain management, procurement, and student administration. ESB-2026.6355 – Google Chrome: CVSS (Max): 9.6* Google Chrome addresses 74 security vulnerabilities, including 17 Critical issues, and also fixes a High-severity vulnerability that is known to be actively exploited in the wild. ESB-2026.6391 – Adobe Campaign Classic: CVSS (Max): 10 Adobe has released security updates for Adobe Campaign Classic. This update addresses critical vulnerabilities that could result in arbitrary code execution. ESB-2026.6438 – Fortinet FortiSandbox: CVSS (Max): 9.1 A vulnerability in the FortiSandbox web UI involving improper neutralization of special elements used in an OS command may allow an unauthenticated attacker to execute unauthorized commands through specially crafted HTTP requests. ESB-2026.6460 – Palo Alto Products: CVSS (Max): 9.3 A vulnerability involving improper validation of credentials in the CommvaultSecurityIQ integration for Cortex XSOAR and Cortex XSIAM allows an unauthenticated attacker to access and modify protected resources. ESB-2026.6473 – Splunk Enterprise: CVSS (Max): 10 Splunk Enterprise updates multiple components including Go, MongoDB, aiohttp, OpenTelemetry, PostgreSQL, etcd-related binaries, Log4j, and Cloudflare CIRCL libraries to address a range of security vulnerabilities, including some with associated CVE identifiers. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 5th June 2026

Greetings, Microsoft has moved to address a significant identity security issue in its Entra ID platform, patching a flaw that could have enabled widespread privilege escalation and service account takeover across enterprise environments. The vulnerability, identified by researchers at Silverfort, centred on the “Agent ID Administrator” role. This feature was introduced to manage the lifecycle of AI agent identities within Entra ID. While the role was designed with a limited scope, researchers discovered it could be abused to take ownership of arbitrary service principals, including those unrelated to AI agents. By assigning themselves ownership and adding new credentials, attackers could effectively impersonate these service accounts and inherit their permissions, a scenario described as “full service principal takeover.” The risks associated with this flaw are substantial. Service principals often underpin critical enterprise functions such as automation workflows, API integrations, and cloud infrastructure operations. If compromised, particularly when linked to highly privileged roles or Microsoft Graph permissions, attackers could gain broad access to sensitive systems, escalate privileges further, and potentially take control of entire tenant environments. The root cause of the issue lies in a failure to properly enforce scope boundaries. Because AI agent identities are built on the same underlying architecture as standard service principals, the role’s permissions extended beyond their intended domain. This highlights a growing challenge in identity security, where new features layered on existing systems can inadvertently introduce unexpected access paths. Microsoft responded by deploying a fix across cloud environments on April 9, 2026, blocking the ability of the Agent ID Administrator role to modify non-agent service principals. The incident serves as a timely reminder that robust role scoping, continuous monitoring, and strict governance of non-human identities are essential as organisations adopt increasingly complex, AI-driven identity ecosystems. Critical Windows Netlogon RCE flaw now exploited in attacks Date: 2026-06-01 Author: Bleeping Computer [See AUSCERT bulletin https://portal.auscert.org.au/bulletins/ASB-2026.0110] The Centre for Cybersecurity Belgium (CCB), the country's national authority for cybersecurity, warned on Friday that threat actors are now exploiting a recently patched critical Windows Netlogon vulnerability in attacks. Netlogon is a remote procedure call (RPC) interface and a core Microsoft Windows Server background service that authenticates services and users on Windows domain-based networks. Microsoft patched this vulnerability (CVE-2026-41089) during the May 2026 Patch Tuesday, describing it as a stack-based buffer overflow in Windows Netlogon that allows attackers without privileges to gain remote code execution on targeted domain controllers. Critical Kirki flaw exploited to hijack WordPress admin accounts Date: 2026-06-02 Author: Bleeping Computer Hackers are exploiting a critical privilege escalation vulnerability (CVE-2026-8206) in the Kirki plugin for WordPress to take over any user account, including those belonging to administrators. The attacks were detected by WordPress security firm Defiant, whose Wordfence firewall blocked over 222 attempts against its customers in the past 24 hours. The full name of the plugin is Kirki – Freeform Page Builder, Website Builder & Customizer. It is a freeform visual builder and advanced theme customizer active on more than 500,000 websites. Palo Alto GlobalProtect VPN auth bypass flaw now exploited in attacks Date: 2026-05-30 Author: Bleeping Computer [See updated AUSCERT bulletin https://portal.auscert.org.au/bulletins/ESB-2026.5111.2] Palo Alto Networks is warning that hackers are now exploiting a PAN-OS GlobalProtect authentication bypass flaw, tracked as CVE-2026-0257, in attacks attempting to breach corporate networks. The company fixed the CVE-2026-0257 flaw earlier this month, warning that it could be used to establish unauthorized VPN connections on the device. "GlobalProtect portal and gateway of Palo Alto Networks PAN-OS software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection," reads Palo Alto's advisory. Exploit Code Published for Critical Flowise RCE Vulnerability Date: 2026-05-30 Author: Security Week Obsidian Security has released technical information and proof-of-concept (PoC) code targeting a remote code execution (RCE) vulnerability in Flowise. The issue, tracked as CVE-2026-40933 (CVSS score of 9.9), was disclosed in April along with several other security defects impacting AI ecosystems that rely on Anthropic’s MCP protocol. Flowise, a popular open source platform that provides developers with a drag-and-drop interface for building LLM flows and AI agents, and which has over 52,000 GitHub stars, was flagged as one of the impacted products. ‘HTTP/2 Bomb’ Exploit Knocks Web Servers Offline in Seconds Date: 2026-06-03 Author: Security Week Known denial-of-service (DoS) techniques can be chained together in a new exploit that can knock major web servers offline, Calif security researchers warn. Dubbed HTTP/2 Bomb and discovered using OpenAI’s Codex, the exploit combines a compression bomb that targets HTTP/2’s header compression scheme (HPACK) with a Slowloris-style hold that prevents the server from freeing memory. ASB-2026.0110 – Microsoft Windows: CVSS (Max): 9.8 Microsoft's May 2026 Patch Tuesday update addresses 67 vulnerabilities across supported Windows desktop and server platforms, including Windows 10, Windows 11, Windows Server 2016–2025, and Windows Admin Center. ESB-2026.5111.2 – Palo Alto PAN-OS: CVSS (Max): 7.8 A high-severity authentication bypass vulnerability, affects Palo Alto Networks' GlobalProtect VPN functionality on PAN-OS firewalls. Successful exploitation allows an unauthenticated attacker to bypass security controls and establish unauthorized VPN access. ESB-2026.6009 – IBM QRadar Investigation Assistant App: CVSS (Max): 10.0 IBM has released an update for the IBM QRadar Investigation Assistant App (AI Assistant) to address numerous vulnerabilities in bundled third-party components. ESB-2026.5923 – Chormium: CVSS (Max): 9.8 Debian has released an advisory to address a large number of security vulnerabilities in Chromium. The advisory addresses vulnerabilities that could lead to, Remote code execution, Information disclosure &Denial of service. ESB-2026.6022 – Unbound: CVSS (Max): 10 Ubuntu has released an advisory to address multiple vulnerabilities in Unbound, a widely used validating, recursive DNS resolver. The advisory backports fixes for several vulnerabilities affecting older Ubuntu LTS releases. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more