29 May 2026
Week in review
Greetings,
The breach, which occurred in April 2026, was triggered by a social engineering attack in which a threat actor deceived an employee into granting access to their account. This allowed the attacker to infiltrate a limited portion of Carnival’s IT systems and ultimately extract customer data. The company detected suspicious activity on April 14 and moved to block access, later confirming on April 22 that personal information had been copied.
Carnival has since begun notifying approximately 5.99 million affected individuals. While the full scope of the compromised data varies, exposed information is believed to include names, dates of birth, email addresses, and loyalty program details. The breach has been linked to the ShinyHunters cybercrime group, which claimed responsibility and alleged it stole millions of records along with large volumes of internal corporate data.
The incident highlights the ongoing effectiveness of social engineering tactics, where attackers exploit human behaviour rather than technical vulnerabilities to gain entry into systems.
In response, Carnival says it has strengthened its cyber security measures and engaged external experts to support its investigation. However, for millions of customers, the breach serves as a timely reminder of the importance of vigilance in protecting personal information in an increasingly digital travel landscape.
LiteSpeed cPanel Plugin 0-Day Exploited in the wild to Gain Server Root Access
Date: 2026-05-22
Author: Cyber Security News
[AUSCERT has identified the impacted members (where possible) and contacted them via email]
LiteSpeed has disclosed and patched a critical 0‑day privilege escalation flaw in its user-end cPanel plugin that is already being actively exploited to gain root access on Linux hosting servers.
The bug is tracked as CVE‑2026‑48172 and affects LiteSpeed cPanel user-end plugin versions from v2.3 up to, but not including, v2.4.5.
Critical Gogs RCE Vulnerability Lets Any Authenticated User Execute Arbitrary Code
Date: 2026-05-28
Author: The Hacker News
[AUSCERT has identified the impacted members (where possible) and contacted them via email]
A critical security vulnerability has been disclosed in Gogs, a popular open-source self-hosted Git service, that allows an authenticated user to execute arbitrary code under certain conditions.
The security flaw, per Rapid7, is rated 9.4 on the CVSS scoring system. It does not have a CVE identifier.
"The vulnerability allows any authenticated user to achieve remote code execution (RCE) on the server by creating a pull request with a malicious branch name that injects the –exec flag into git rebase during the 'Rebase before merging' merge operation," security researcher Jonah Burgess said.
Trend Micro warns of Apex One zero-day exploited in the wild
Date: 2026-05-22
Author: Bleeping Computer
Japanese cybersecurity software company Trend Micro has addressed an Apex One zero-day vulnerability exploited in attacks targeting Windows systems.
Apex One is Trend Micro's enterprise-grade endpoint security platform that protects corporate networks from a wide range of security threats, including malware, ransomware, fileless attacks, and web-based threats.
Drupal: Critical SQL injection flaw now targeted in attacks
Date: 2026-05-22
Author: Bleeping Computer
Drupal is warning that hackers are attempting to exploit a "highly critical" SQL injection vulnerability announced earlier this week.
The content management system (CMS) project published a PSA on May 18, urging administrators to reserve time for core updates that addressed an issue that threat actors might start exploiting "within hours or days."
New 7-Zip Vulnerabilities Let Attackers Execute Arbitrary Code and Compromise Systems
Date: 2026-05-26
Author: Cyber Security News
A critical heap buffer overflow vulnerability has been disclosed in 7-Zip version 26.00, enabling attackers to achieve arbitrary code execution via a vtable hijack by exploiting a defect in the tool’s NTFS archive handler.
Tracked as CVE-2026-48095 and assigned advisory GHSL-2026-140, the flaw resides in the CInStream::GetCuSize() function inside NtfsHandler.cpp. The function computes the NTFS compression-unit buffer size using a 32-bit shift operation: (UInt32)1 << (BlockSizeLog + CompressionUnit).
ASB-2026.0111 – Microsoft SharePoint Server: CVSS (Max): 8.8
Microsoft has released a security update addressing a remote code execution vulnerability in Microsoft SharePoint Server. A deserialization of untrusted data vulnerability in Microsoft Office SharePoint allows an authenticated attacker with low privileges to exploit this flaw over the network to execute arbitrary code on the affected SharePoint server.
ESB-2026.5634 – NGINX: CVSS (Max): 8.1
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability may allow remote attackers to cause a denial-of-service (DoS) on the NGINX system or to possibly trigger a code execution. There is no control plane exposure; this is a data plane issue only.
ESB-2026.5674 – IBM QRadar SIEM: CVSS (Max): 9.8*
Multiple components with known vulnerabilities were addressed in IBM QRadar SIEM 7.5.0 UP15 IF03, including an off-by-one heap buffer overflow in XML::Parser when parsing deeply nested XML files. A heap overflow in the Linux kernel NFSv4.0 replay cache caused by copying oversized LOCK denied responses into a fixed 112-byte buffer without bounds checking was also addressed. Additional fixes included a use-after-free issue in Python decompressor objects after a MemoryError, a Vim modeline sandbox bypass allowing arbitrary OS command execution when opening a crafted file, and an OpenSSH scp issue that could install downloaded files as setuid or setgid under specific conditions.
ESB-2026.5737 – IBM WebSphere Application Server: CVSS (Max): 9.8
IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by remote code execution and HTTP request smuggling when using the
optional and separately installable Web Server Plug-ins for IBM WebSphere Application Server component.
ESB-2026.5761 – Jenkins: CVSS (Max): 8.8*
LDAP Plugin 807.v7d7de30930cf and earlier follows LDAP referrals from the configured LDAP server. These can forward to an RMI URL that causes Jenkins to deserialize attacker-controlled data, resulting in Remote Code Execution (RCE) on the Jenkins controller if deserialization "gadgets" are available on the classpath.
Stay safe, stay patched and have a good weekend!
The AUSCERT team
