Security Highlights Of The Week [07/26-1]

Cisco Confirms Active Exploitation of Unified CM Flaw
Cisco confirmed that attackers are now exploiting CVE-2026-20230 in Unified Communications Manager. The bug is an unauthenticated SSRF issue that can be triggered remotely with crafted HTTP requests, putting core enterprise telephony infrastructure at risk.
Source: BleepingComputer

FortiBleed Credential Theft Now Linked to Real Ransomware Deployments
SOCRadar linked FortiBleed to INC and Lynx ransomware operations, showing a direct path from FortiGate credential theft to follow-on intrusions. The campaign reportedly scanned over 11,000 FortiGate portals, gained confirmed admin access on hundreds of targets, and has already led to multiple ransomware incidents.
Source: The Hacker News

Over 900 Oracle E-Business Instances Are Exposed to Ongoing Attacks
Researchers warned that more than 900 Oracle E-Business Suite instances are exposed while threat actors actively exploit CVE-2026-46817. The flaw affects Oracle Payments and can allow unauthenticated takeover of vulnerable systems over HTTP.
Source: BleepingComputer

New CitrixBleed Vulnerability Was Exploited Less Than a Day After Disclosure
A new CitrixBleed-like flaw in NetScaler ADC and Gateway, CVE-2026-8451, was exploited almost immediately after public technical details appeared. The issue leaks memory from appliances configured as SAML identity providers, continuing the trend of rapid exploitation against remote access infrastructure.
Source: SecurityWeek

Microsoft SharePoint RCE Added to KEV After Active Exploitation
CISA added CVE-2026-45659 in Microsoft SharePoint Server to the Known Exploited Vulnerabilities catalog. The deserialization flaw is now being actively exploited, reinforcing the continued pressure on on-premises collaboration infrastructure.
Source: CISA

Splunk Enterprise RCE Reached Active Exploitation Status
CVE-2026-20253 in Splunk Enterprise is a critical unauthenticated remote code execution flaw in a PostgreSQL sidecar recovery path exposed through Splunk Web. After public analysis and proof-of-concept release, CISA added the issue to KEV and required rapid remediation.
Source: Zscaler ThreatLabz

BlueHammer Is Being Used in Real Ransomware Attacks
CISA warned that the Microsoft Defender privilege escalation bug known as BlueHammer is now being exploited in ransomware operations. The flaw was publicly disclosed before patching, and attackers appear to be using it to strengthen post-compromise access on Windows hosts.
Source: BleepingComputer

Trojanized CVE Proof-of-Concept Repositories Are Targeting Security Researchers
YesWeHack and Sekoia documented an ongoing campaign using malicious exploit repositories to compromise vulnerability researchers and pentesters. The campaign has been active since late 2025 and abuses the trust placed in public proof-of-concept code.
Source: YesWeHack

JADEPUFFER Shows the First Documented Agentic Ransomware Operation
Sysdig described JADEPUFFER as a fully automated extortion workflow driven end-to-end by a large language model. The actor exploited an exposed Langflow instance, adapted during the intrusion, and then pivoted into destructive database extortion without a traditional human operator driving each step.
Source: Sysdig

Vect and TeamPCP Formalize a Supply Chain and Ransomware Partnership
Sophos reported that Vect and TeamPCP are now working together, combining credential theft and supply chain compromise with ransomware deployment. The partnership shows how specialized criminal groups are increasingly linking initial access, data theft, and extortion into one coordinated pipeline.
Source: Sophos

Mustang Panda Targets India’s Government and Energy Sectors with New Tooling
Acronis tracked concurrent Mustang Panda campaigns against Indian government and hydropower targets. The operations used newly identified implants, including ZOHOMURK and MINIRECON, and abused Zoho WorkDrive as part of the intrusion chain.
Source: Acronis TRU

VeilDrop Uses Blogspot to Deliver an In-Memory Stealer Chain
Securonix analyzed VeilDrop, a multi-stage delivery chain that begins with a fake document script and uses Blogspot-hosted payload stages to deploy PureLog Stealer in memory. The campaign leans on trusted cloud infrastructure and layered obfuscation to reduce detection opportunities.
Source: Securonix

Iran-Linked TAG-182 Expands MarkiRAT Surveillance Operations
Recorded Future linked new infrastructure to TAG-182 and its use of MarkiRAT in Iranian surveillance campaigns. The operation appears focused on Iranians inside and outside the country and uses lures such as fake VPNs and download tools distributed through social platforms.
Source: Recorded Future

TONResolver Targets Japan’s Hotel Sector Using Blockchain-Based C2 Updates
Trend Micro described a phishing-led campaign against Japanese Booking.com partner organizations that deploys TONResolver RAT. The malware uses the TON blockchain as a dead drop resolver, giving operators a flexible way to rotate command-and-control endpoints without hardcoding them into the payload.
Source: Trend Micro

LSHIY Password Spray Campaign Made More Than 81 Million Login Attempts
Huntress observed a large automated password spraying campaign against Microsoft Azure CLI workflows originating from infrastructure linked to LSHIY. The activity produced over 81 million login attempts and compromised dozens of Microsoft accounts, including environments that already had Conditional Access in place.
Source: Huntress

Scroll to top