Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials CVE-2025-5777
Threat actors associated with the Anubis ransomware operation have been observed exploiting the Citrix Bleed 2 (CVE-2025-5777) vulnerability to obtain initial access. "Although tactics differ between affiliates, common patterns emerged in tradecraft through use of legitimate Remote Management and Mo Known Exploited (CISA KEV).
Sources: https://thehackernews.com/2026/07/ransomware-groups-turn-to-citrix-bleed.html
Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints CVE-2026-33017
Threat actors are continuing to exploit a critical Langflow vulnerability as part of fresh attacks designed to deliver a Monero cryptocurrency miner. The activity has been found to weaponize CVE-2026-33017 (CVSS score: 9.3), an unauthenticated remote code execution (RCE) vulnerability in Langflow, i Known Exploited (CISA KEV).
Sources: https://thehackernews.com/2026/06/langflow-rce-exploited-to-deploy-monero.html
Microsoft 365 Copilot CVE-2026-41106 elevation-of-privilege advisory
Classification: NEW. New MSRC advisory affects tenant AI and M365 permission boundaries.
Recommended action: Apply MSRC guidance and validate Copilot tenant permissions, plugins/connectors, and privileged audit events.
Identifiers: CVE-2026-41106
Sources: [MSRC CVE-2026-41106](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41106)
Azure OpenAI CVE-2026-45499 elevation-of-privilege advisory
Classification: NEW. New MSRC advisory is relevant to cloud AI service boundary review.
Recommended action: Apply MSRC guidance and review Azure OpenAI permissions, managed identities, and control-plane changes.
Identifiers: CVE-2026-45499
Sources: [MSRC CVE-2026-45499](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45499)
Oracle E-Business Suite Flaw CVE-2026-46817 Actively Exploited in the Wild CVE-2026-46817
A critical security flaw impacting Oracle E-Business Suite has come under active exploitation in the wild, according to Defused Cyber. The vulnerability, tracked as CVE-2026-46817 (CVSS score: 9.8), refers to an improper privilege management and authentication flaw in Oracle Payments that could be a
Sources: https://thehackernews.com/2026/06/oracle-e-business-suite-flaw-cve-2026.html
9router CVE-2026-49352 fallback JWT secret authentication bypass
Classification: NEW. Hardcoded fallback JWT secrets can enable authentication bypass.
Recommended action: Patch/update 9router, rotate JWT secrets, and audit token anomalies.
Identifiers: CVE-2026-49352, GHSA-jphh-m39h-6gwx
Sources: [GitHub advisory GHSA-jphh-m39h-6gwx](https://github.com/advisories/GHSA-jphh-m39h-6gwx)
mcp-memory-service CVE-2026-50027 exposes unauthenticated document APIs
Classification: NEW. Missing authentication on document APIs can expose or delete MCP memory content.
Recommended action: Patch/update mcp-memory-service, restrict APIs behind authentication, and rotate exposed tokens where shared endpoints existed.
Identifiers: CVE-2026-50027, GHSA-84hp-mqvj-3p8h
Sources: [GitHub advisory GHSA-84hp-mqvj-3p8h](https://github.com/advisories/GHSA-84hp-mqvj-3p8h)
Critical Cursor Flaws Could Let Prompt Injection Escape Sandbox and Run Commands CVE-2026-50548
Two flaws in Cursor, an AI code editor, could let a single, ordinary-looking prompt break out of the editor's safety sandbox and run any command on a developer's computer. There is no click to fall for and no approval box to ignore. Cato AI Labs found the pair and named them DuneSlide. They are
Sources: https://thehackernews.com/2026/07/critical-cursor-flaws-could-let-prompt.html
Ubiquiti UniFi WID-SEC-2026-2171 / CVE-2026-50746 enters network-management routing
Classification: NEW. UniFi controllers are high-value management systems.
Recommended action: Patch/update UniFi controllers and restrict management-plane exposure.
Identifiers: CVE-2026-50746, WID-SEC-2026-2171
Sources: [CERT-Bund WID-SEC-2026-2171](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2171)
Microsoft Entra Provisioning Service CVE-2026-57100 elevation-of-privilege advisory
Classification: NEW. New MSRC advisory affects identity provisioning workflows.
Recommended action: Apply MSRC guidance and review provisioning connectors, scoped assignments, and lifecycle changes.
Identifiers: CVE-2026-57100
Sources: [MSRC CVE-2026-57100](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57100)
Also tracked
- Progress Kemp LoadMaster Pre-Auth RCE Flaw Faces Active Exploitation Attempts · CVE-2026-8037 · Critical
- Mautic CVE-2026-9558 theme-template server-side template injection · CVE-2026-9558 · Critical
- Sangoma Asterisk CVE-2022-37325 version-range advisory · CVE-2022-37325 · High
- Apache Airflow CNCF Kubernetes provider CVE-2023-33234 code execution · CVE-2023-33234 · High
- Docker CLI for Windows CVE-2025-15558 plugin search-path advisory · CVE-2025-15558 · High
- NLTK CVE-2026-0847 arbitrary-file advisory · CVE-2026-0847 · High
- Keycloak CVE-2026-2092 SAML assertion validation authorization issue · CVE-2026-2092 · High
- OpenEXR CVE-2026-27622 EXR parser advisory · CVE-2026-27622 · High
- Multer CVE-2026-3520 multipart/form-data advisory · CVE-2026-3520 · High
- SimpleSAMLphp CVE-2026-49283 HTTP-Artifact TLS validator confusion · CVE-2026-49283 · High
- SimpleSAMLphp CVE-2026-49284 unexpected IdP response acceptance · CVE-2026-49284 · High
- 9router CVE-2026-49353 incomplete local-only access gate fix · CVE-2026-49353 · High
- Recce CVE-2026-49360 unauthenticated SQL execution and file access · CVE-2026-49360 · High
- Steeltoe CVE-2026-50194 management-port isolation bypass · CVE-2026-50194 · High
- OpenClaw CVE-2026-53814 hook-triggered CLI runs can inherit owner MCP authority · CVE-2026-53814 · High
- OpenClaw CVE-2026-53815 message reads could skip channel allowlists · CVE-2026-53815 · High
- OpenClaw CVE-2026-53817 can mint durable admin device tokens · CVE-2026-53817 · High
- Microsoft Exchange Online CVE-2026-54998 elevation-of-privilege advisory · CVE-2026-54998 · High
- Mautic CVE-2026-9808 API v2 authorization bypass · CVE-2026-9808 · High
- IBM DB2 WID-SEC-2026-0262 / CVE-2025-2668 enters CERT-Bund high queue · CVE-2025-2668 · Medium
- Vercel Next.js WID-SEC-2026-0219 / CVE-2025-59471 denial-of-service routing · CVE-2025-59471 · Medium
- Microsoft Azure Synapse CVE-2026-26145 elevation-of-privilege advisory · CVE-2026-26145 · Medium
- Coolify WID-SEC-2026-2182 / CVE-2026-34038 code-execution advisory · CVE-2026-34038 · Medium
- PowerDNS WID-SEC-2026-1225 / CVE-2026-33256 adds a second DNS owner check · CVE-2026-33256 · Medium
- Kibana WID-SEC-2026-2179 / CVE-2026-49087 enters EU patch routing · CVE-2026-49087 · Medium
- PowerDNS WID-SEC-2026-0932 / CVE-2026-0396 enters CERT-Bund routing · CVE-2026-0396 · Low
- IBM DataPower Gateway WID-SEC-2026-2169 / CVE-2025-36374 reaches EU routing · CVE-2025-36374 · Unknown
- ST Engineering iDirect iQ-Series ICSA-26-183-01 / CVE-2026-38059 reaches CISA ICS routing · CVE-2026-38059 · Unknown
- ChocoPoC RAT targets vulnerability researchers through fake PoC repositories
- Cisco Catalyst Center NCSC-2026-0218 lands in NCSC-NL routing
- CISA: Microsoft SharePoint RCE flaw now actively exploited
- Cisco finally confirms attackers exploiting Unified CM flaw
- New CitrixBleed Vulnerability Exploited Immediately After Public Disclosure