π This is CVE Pulse β the official channel from cve.tools.
βCriticalβ by CVSS β dangerous. What's dangerous is what's being exploited. We surface exactly those CVEs and break down: what's broken, who's attacking, how to check your own systems, and what to fix first.
Formats: #breakdown of fresh CVEs Β· weekly #signal Β· monthly #trends Β· product #release.
Verify any CVE β cve.tools/verify
Breakdowns & trends β cve.tools
βCriticalβ by CVSS β dangerous. What's dangerous is what's being exploited. We surface exactly those CVEs and break down: what's broken, who's attacking, how to check your own systems, and what to fix first.
Formats: #breakdown of fresh CVEs Β· weekly #signal Β· monthly #trends Β· product #release.
Verify any CVE β cve.tools/verify
Breakdowns & trends β cve.tools
π‘οΈ CVE-2026-39893 β Cacti pre-auth SQL injection (CVSS 9.8)
Cacti β€ 1.2.30: the graph-filter "rfilter" is concatenated into a MySQL RLIKE clause in graph_view.php with only a regex check. A quote slips past into the database.
β’ Pre-auth ONLY if guest graph viewing is enabled (off by default) β otherwise authenticated-only. The 9.8 is worst-case.
β’ No public PoC / KEV / in-the-wild activity yet (3 Jul 2026).
β’ But: the same bug was an unauth SQLi in 2023 (CVE-2023-39361), and Cacti pre-auth bugs turn into botnets fast β patch before the PoC.
β Fix: upgrade to 1.2.31. Stopgap: disable guest access + WAF rule rejecting a quote in rfilter.
π Full breakdown: https://cve.tools/blog/cacti-cve-2026-39893-rfilter-sql-injection-explained
Cacti β€ 1.2.30: the graph-filter "rfilter" is concatenated into a MySQL RLIKE clause in graph_view.php with only a regex check. A quote slips past into the database.
β’ Pre-auth ONLY if guest graph viewing is enabled (off by default) β otherwise authenticated-only. The 9.8 is worst-case.
β’ No public PoC / KEV / in-the-wild activity yet (3 Jul 2026).
β’ But: the same bug was an unauth SQLi in 2023 (CVE-2023-39361), and Cacti pre-auth bugs turn into botnets fast β patch before the PoC.
β Fix: upgrade to 1.2.31. Stopgap: disable guest access + WAF rule rejecting a quote in rfilter.
π Full breakdown: https://cve.tools/blog/cacti-cve-2026-39893-rfilter-sql-injection-explained
CVE Tools
CVE-2026-39893: Cacti Pre-Auth SQL Injection in graph_view.php (CVSS 9.8)
CVE-2026-39893 is a CVSS 9.8 pre-authentication SQL injection in Cacti <= 1.2.30 via the rfilter RLIKE clause in graph_view.php. What it is, why the 9.8 is conditional, the attack chain, detection, and how to fix it.
π΄ CVE-2025-61882 β Oracle EBS pre-auth RCE, exploited in the wild
βοΈ CVSS 9.8 β unauthenticated, network, no user interaction
π’ Oracle E-Business Suite 12.2.3β12.2.14
π EPSS 0.997 (99.95th pct) β public exploit exists
π¨ CISA KEV β listed 6 Oct 2025, ransomware-flagged
π΅οΈ Cl0p zero-day since ~9 Aug 2025 (traces to 10 Jul) β long dwell time
π Mechanism: XSLT / XSL template injection (javax.script eval), NOT deserialization
β οΈ Patch β done: also apply CVE-2025-61884, and if you were exposed β hunt for a web shell + rotate secrets. Patching won't undo stolen data.
π§© Operators (Cl0p) β leakers (Scattered Lapsus$ Hunters). Google does NOT attribute exploitation to ShinyHunters.
Confirmed victims: The Washington Post, GlobalLogic/Hitachi, Harvard, Dartmouth, Envoy Air.
π Full breakdown β https://cve.tools/blog/cve-2025-61882-oracle-ebs-preauth-rce-cl0p
βοΈ CVSS 9.8 β unauthenticated, network, no user interaction
π’ Oracle E-Business Suite 12.2.3β12.2.14
π EPSS 0.997 (99.95th pct) β public exploit exists
π¨ CISA KEV β listed 6 Oct 2025, ransomware-flagged
π΅οΈ Cl0p zero-day since ~9 Aug 2025 (traces to 10 Jul) β long dwell time
π Mechanism: XSLT / XSL template injection (javax.script eval), NOT deserialization
β οΈ Patch β done: also apply CVE-2025-61884, and if you were exposed β hunt for a web shell + rotate secrets. Patching won't undo stolen data.
π§© Operators (Cl0p) β leakers (Scattered Lapsus$ Hunters). Google does NOT attribute exploitation to ShinyHunters.
Confirmed victims: The Washington Post, GlobalLogic/Hitachi, Harvard, Dartmouth, Envoy Air.
π Full breakdown β https://cve.tools/blog/cve-2025-61882-oracle-ebs-preauth-rce-cl0p
CVE Tools
CVE-2025-61882: Oracle EBS Pre-Auth RCE (Cl0p Zero-Day) Explained
CVE-2025-61882 is a critical unauthenticated RCE in Oracle E-Business Suite (12.2.3-12.2.14) exploited by Cl0p. The exploit chain, IoCs, detection, and patch guidance.
π¨ Cisco Catalyst SD-WAN β CVE-2026-20245 (root access)
Exploited as a 0-day ~2 months before Cisco disclosed it. Now on CISA KEV; June 23 federal patch deadline has passed.
Read the numbers honestly:
π CVSS 7.8 HIGH β but LOCAL + netadmin (privesc to root, not an internet RCE)
π― KEV: confirmed in-the-wild exploitation
π EPSS: top ~5% (94.99th percentile)
β The real risk is the chain: auth-bypass bugs CVE-2026-20182 (CVSS 10.0) + CVE-2026-20127 β netadmin, then 20245 β commands as root on vManage/vSmart/vBond, a hidden root account, logs wiped.
π No workaround β upgrade, and patch the whole chain.
π΅οΈ SD-WAN gear runs no EDR β no alerts β clean. Assume-breach and hunt.
π Full breakdown + IoCs: https://cve.tools/blog/cisco-sd-wan-cve-2026-20245-root-access-explained
Exploited as a 0-day ~2 months before Cisco disclosed it. Now on CISA KEV; June 23 federal patch deadline has passed.
Read the numbers honestly:
π CVSS 7.8 HIGH β but LOCAL + netadmin (privesc to root, not an internet RCE)
π― KEV: confirmed in-the-wild exploitation
π EPSS: top ~5% (94.99th percentile)
β The real risk is the chain: auth-bypass bugs CVE-2026-20182 (CVSS 10.0) + CVE-2026-20127 β netadmin, then 20245 β commands as root on vManage/vSmart/vBond, a hidden root account, logs wiped.
π No workaround β upgrade, and patch the whole chain.
π΅οΈ SD-WAN gear runs no EDR β no alerts β clean. Assume-breach and hunt.
π Full breakdown + IoCs: https://cve.tools/blog/cisco-sd-wan-cve-2026-20245-root-access-explained
CVE Tools
CVE-2026-20245: Cisco Catalyst SD-WAN Root Access (KEV, Exploited)
CVE-2026-20245 lets a netadmin run arbitrary commands as root on Cisco Catalyst SD-WAN β exploited in the wild for months before disclosure and now on CISA KEV. What it is, how attackers chain it, and what to do.
π₯ CVE-2026-24858 + FortiBleed: patch the bug, but chase the credentials
π‘ The CVE: FortiCloud SSO auth bypass (CWE-288), pre-auth, CVSS 9.8, on CISA KEV since Jan 27, 2026 β but PATCHED by Fortinet in January (FG-IR-26-060).
π©Έ FortiBleed: the live credential campaign. Fortinet says it's NOT a new exploit β it's reuse + brute force. This CVE helped fill the pool.
π SOCRadar: 86,644 exposed devices, 194 countries β ~half of internet-facing Fortinet. "FortigateSniffer" implants sniff creds across ~24 protocols.
β Attribution to a Russian-speaking broker ("SantaAd") is tentative and unconfirmed.
β Today: rotate every Fortinet credential + enforce MFA. Patching alone won't undo harvested creds.
π Full breakdown: https://cve.tools/blog/cve-2026-24858-fortinet-sso-bypass-fortibleed-explained
π‘ The CVE: FortiCloud SSO auth bypass (CWE-288), pre-auth, CVSS 9.8, on CISA KEV since Jan 27, 2026 β but PATCHED by Fortinet in January (FG-IR-26-060).
π©Έ FortiBleed: the live credential campaign. Fortinet says it's NOT a new exploit β it's reuse + brute force. This CVE helped fill the pool.
π SOCRadar: 86,644 exposed devices, 194 countries β ~half of internet-facing Fortinet. "FortigateSniffer" implants sniff creds across ~24 protocols.
β Attribution to a Russian-speaking broker ("SantaAd") is tentative and unconfirmed.
β Today: rotate every Fortinet credential + enforce MFA. Patching alone won't undo harvested creds.
π Full breakdown: https://cve.tools/blog/cve-2026-24858-fortinet-sso-bypass-fortibleed-explained
CVE Tools
CVE-2026-24858: Fortinet SSO Auth Bypass & FortiBleed (KEV)
CVE-2026-24858 is a critical FortiCloud SSO authentication bypass on KEV, patched in January 2026. Here's what it is, how it connects to the FortiBleed credential campaign, and what to do β without the hype.
π¨ UniFi OS Server β unauthenticated RCE to root
CVE-2026-34910 Β· CVSS 10.0 Β· on CISA KEV Β· exploited in the wild
π The chain (per Bishop Fox, validated on live 5.0.6):
β’ CVE-2026-34908 + CVE-2026-34909 β auth bypass (raw-vs-normalized URI)
β’ CVE-2026-34910 β command injection via an unvalidated package name
β’ passwordless sudo β trivial root
β οΈ No password, no user interaction, no failed-login trail to hunt.
π In the wild: rogue "John Sim" admin accounts + Mirai-style botnet. Detection script published; no working exploit released.
β Fix: upgrade UniFi OS Server to 5.0.8+ (also 5.1.10/5.1.11/5.1.12), take the mgmt UI off the internet, assume-breach hunt.
π Full breakdown: https://cve.tools/blog/unifi-os-cve-2026-34910-unauthenticated-rce-chain-explained
CVE-2026-34910 Β· CVSS 10.0 Β· on CISA KEV Β· exploited in the wild
π The chain (per Bishop Fox, validated on live 5.0.6):
β’ CVE-2026-34908 + CVE-2026-34909 β auth bypass (raw-vs-normalized URI)
β’ CVE-2026-34910 β command injection via an unvalidated package name
β’ passwordless sudo β trivial root
β οΈ No password, no user interaction, no failed-login trail to hunt.
π In the wild: rogue "John Sim" admin accounts + Mirai-style botnet. Detection script published; no working exploit released.
β Fix: upgrade UniFi OS Server to 5.0.8+ (also 5.1.10/5.1.11/5.1.12), take the mgmt UI off the internet, assume-breach hunt.
π Full breakdown: https://cve.tools/blog/unifi-os-cve-2026-34910-unauthenticated-rce-chain-explained
CVE Tools
CVE-2026-34910: UniFi OS Unauthenticated RCE Chain (KEV)
CVE-2026-34910 is the command-injection link in a no-auth chain that gives root on Ubiquiti UniFi OS Server. CVSS 10, on CISA KEV, exploited in the wild. What it is, the chain, and how to fix it.
π¨ CVE-2026-35273 β Oracle PeopleSoft pre-auth RCE, exploited as a 0-day
β’ π₯ CVSS 9.8, unauthenticated RCE in PeopleTools 8.61/8.62 (PSEMHUB) Β· EPSS 0.9233 (~99.8th pct)
β’ π Exploited May 27βJune 9, 2026 β before Oracle's patch Β· now on CISA KEV (due 2026-06-15)
β’ π Chain: SSRF via /PSIGW/HttpListeningConnector β POST /PSEMHUB/hub β Java deserialization RCE
β’ π΅οΈ Google/Mandiant attribute it to ShinyHunters-linked UNC6240 β data-theft extortion (pay-or-leak), NOT encryption
β’ π 100+ orgs notified, ~68% higher ed Β· Victims: U. of Nottingham (~455k), NAIC (~3.1 TB)
β’ β οΈ Patched before June 10? Still vulnerable. Webshells + XMLDecoder .xml survive patching β hunt before you restart
β’ π‘οΈ Cheap fix: deny /PSEMHUB/* and /PSIGW/HttpListeningConnector at the perimeter
π Full breakdown, IoCs & hunt commands: https://cve.tools/blog/cve-2026-35273-peoplesoft-psemhub-rce-breakdown
β’ π₯ CVSS 9.8, unauthenticated RCE in PeopleTools 8.61/8.62 (PSEMHUB) Β· EPSS 0.9233 (~99.8th pct)
β’ π Exploited May 27βJune 9, 2026 β before Oracle's patch Β· now on CISA KEV (due 2026-06-15)
β’ π Chain: SSRF via /PSIGW/HttpListeningConnector β POST /PSEMHUB/hub β Java deserialization RCE
β’ π΅οΈ Google/Mandiant attribute it to ShinyHunters-linked UNC6240 β data-theft extortion (pay-or-leak), NOT encryption
β’ π 100+ orgs notified, ~68% higher ed Β· Victims: U. of Nottingham (~455k), NAIC (~3.1 TB)
β’ β οΈ Patched before June 10? Still vulnerable. Webshells + XMLDecoder .xml survive patching β hunt before you restart
β’ π‘οΈ Cheap fix: deny /PSEMHUB/* and /PSIGW/HttpListeningConnector at the perimeter
π Full breakdown, IoCs & hunt commands: https://cve.tools/blog/cve-2026-35273-peoplesoft-psemhub-rce-breakdown
CVE Tools
CVE-2026-35273: Oracle PeopleSoft PSEMHUB pre-auth RCE, explained
How CVE-2026-35273 chains a PSIGW SSRF into unauthenticated Java deserialization on PeopleSoft PeopleTools 8.61/8.62 β the ShinyHunters education-sector extortion campaign, the IoCs, and what to do now.
πͺ CVE-2026-44812 β Win32k GRFX graphics RCE in the Preview Pane
π CWE-190 integer overflow in Windows Win32k GRFX β heap corruption β local code execution
π CVSS 7.8 HIGH Β· AV:L / UI:R β victim previews/opens a crafted graphics file in the Explorer Preview Pane
π June 2026 Patch Tuesday (disclosed 2026-06-09)
βοΈ The "conflict" that isn't:
β’ MSRC: "Exploitation More Likely" (forward-looking code-path judgment)
β’ EPSS ~0.44% (~35th pct, 2026-07-01) Β· no public PoC Β· NOT in CISA KEV
β attractive future target, not a live threat today
β Standard June patch ring for most assets
π¨ Escalate: multi-user terminal servers, VDI, RDP hosts, jump boxes
π± Also Office for Android β fixed 2026-06-15, push via MDM/Play Store (Windows Update won't)
π Re-triage as emergency on: public PoC Β· EPSS >~5% Β· KEV listing
π Full breakdown: https://cve.tools/blog/cve-2026-44812-win32k-grfx-rce-breakdown
π CWE-190 integer overflow in Windows Win32k GRFX β heap corruption β local code execution
π CVSS 7.8 HIGH Β· AV:L / UI:R β victim previews/opens a crafted graphics file in the Explorer Preview Pane
π June 2026 Patch Tuesday (disclosed 2026-06-09)
βοΈ The "conflict" that isn't:
β’ MSRC: "Exploitation More Likely" (forward-looking code-path judgment)
β’ EPSS ~0.44% (~35th pct, 2026-07-01) Β· no public PoC Β· NOT in CISA KEV
β attractive future target, not a live threat today
β Standard June patch ring for most assets
π¨ Escalate: multi-user terminal servers, VDI, RDP hosts, jump boxes
π± Also Office for Android β fixed 2026-06-15, push via MDM/Play Store (Windows Update won't)
π Re-triage as emergency on: public PoC Β· EPSS >~5% Β· KEV listing
π Full breakdown: https://cve.tools/blog/cve-2026-44812-win32k-grfx-rce-breakdown
CVE Tools
CVE-2026-44812: Win32k GRFX integer-overflow RCE explained
How CVE-2026-44812 turns a crafted graphics file into local code execution via a Win32k integer overflow β June 2026 Patch Tuesday, CVSS 7.8, 'Exploitation More Likely', no public PoC yet, and how to patch and detect it.
π¨ CVE-2026-45657 β Windows kernel TCP/IP UAF, wormable RCE
π CVSS 9.8 Β· unauthenticated Β· no user interaction β code exec at SYSTEM
𧬠Use-after-free (CWE-416) + heap overflow (CWE-122) in the kernel IP stack (attributed to tcpip.sys). ZDI: "Yup β this is wormable." EternalBlue-class profile, but IP stack, not SMB β no single port to firewall.
π©Ή Patched 2026-06-09 (part of a record 208-CVE Patch Tuesday). Patch-only β no workaround.
π§ Honest status (2026-07-01):
β’ No public PoC (0 GitHub repos)
β’ NOT in CISA KEV
β’ MS: "Exploitation Less Likely" Β· EPSS ~0.155
β’ The June in-the-wild bug was CVE-2026-41091 (Defender), not this
β but the patch diff is the exploit roadmap, being reversed now. Patch internet-facing + flat-internal within ~7 days.
π₯ Affected: Win 11 23H2/24H2/25H2/26H1 Β· Server 2022/2025 (incl. Server Core)
π Full breakdown (KB/build matrix, attack chain, detection):
https://cve.tools/blog/cve-2026-45657-windows-kernel-tcpip-uaf-wormable-rce-breakdown
π No port to block β exposure = who can reach the host. See what an attacker sees, free:
π CVSS 9.8 Β· unauthenticated Β· no user interaction β code exec at SYSTEM
𧬠Use-after-free (CWE-416) + heap overflow (CWE-122) in the kernel IP stack (attributed to tcpip.sys). ZDI: "Yup β this is wormable." EternalBlue-class profile, but IP stack, not SMB β no single port to firewall.
π©Ή Patched 2026-06-09 (part of a record 208-CVE Patch Tuesday). Patch-only β no workaround.
π§ Honest status (2026-07-01):
β’ No public PoC (0 GitHub repos)
β’ NOT in CISA KEV
β’ MS: "Exploitation Less Likely" Β· EPSS ~0.155
β’ The June in-the-wild bug was CVE-2026-41091 (Defender), not this
β but the patch diff is the exploit roadmap, being reversed now. Patch internet-facing + flat-internal within ~7 days.
π₯ Affected: Win 11 23H2/24H2/25H2/26H1 Β· Server 2022/2025 (incl. Server Core)
π Full breakdown (KB/build matrix, attack chain, detection):
https://cve.tools/blog/cve-2026-45657-windows-kernel-tcpip-uaf-wormable-rce-breakdown
π No port to block β exposure = who can reach the host. See what an attacker sees, free:
CVE Tools
CVE-2026-45657: Windows Kernel TCP/IP UAF wormable RCE, explained
CVE-2026-45657 is a CVSS 9.8 unauthenticated wormable use-after-free in the Windows Kernel TCP/IP stack, patched June 2026. No public PoC as of 2026-07-01. Patch on the emergency track β affected SKUs, KB matrix, detection, and exploitation chain.
π΄ CVE-2026-46817 β Oracle EBS Payments unauth file read (CVSS 9.8)
β οΈ Exploited in the wild since 27 June 2026 β before any public PoC existed.
π The signal trap: EPSS just 0.68% β’ NOT on CISA KEV yet. Both lag private exploits β don't wait for them.
How it works:
β’ Unauth POST β /OA_HTML/ibytransmit (Payments File Transmission)
β’ Abuses CODEX_PULL + FULL_FILE_PATH β reads any server file (PoC: /etc/passwd)
β’ Loot: dbc/context files, EBS wallet, payment API keys
β’ Confirmed primitive = file read, not RCE (Oracle scores it as full takeover because of the readable secrets)
π¦ Affected: EBS 12.2.3β12.2.15 β’ Fix: May 2026 Oracle CPU β’ ~900β950 instances internet-exposed
π« No credible actor attribution β and this is NOT the 2025 Cl0p / CVE-2025-61882 bug.
β Do now: patch β block /OA_HTML/ibytransmit externally β rotate secrets if you were exposed (patching won't undo credential theft).
π Full breakdown: https://cve.tools/blog/cve-2026-46817-oracle-ebs-payments-file-read-breakdown
β οΈ Exploited in the wild since 27 June 2026 β before any public PoC existed.
π The signal trap: EPSS just 0.68% β’ NOT on CISA KEV yet. Both lag private exploits β don't wait for them.
How it works:
β’ Unauth POST β /OA_HTML/ibytransmit (Payments File Transmission)
β’ Abuses CODEX_PULL + FULL_FILE_PATH β reads any server file (PoC: /etc/passwd)
β’ Loot: dbc/context files, EBS wallet, payment API keys
β’ Confirmed primitive = file read, not RCE (Oracle scores it as full takeover because of the readable secrets)
π¦ Affected: EBS 12.2.3β12.2.15 β’ Fix: May 2026 Oracle CPU β’ ~900β950 instances internet-exposed
π« No credible actor attribution β and this is NOT the 2025 Cl0p / CVE-2025-61882 bug.
β Do now: patch β block /OA_HTML/ibytransmit externally β rotate secrets if you were exposed (patching won't undo credential theft).
π Full breakdown: https://cve.tools/blog/cve-2026-46817-oracle-ebs-payments-file-read-breakdown
CVE Tools
CVE-2026-46817: Oracle E-Business Suite Payments unauth file read, explained
How CVE-2026-46817 abuses the Oracle Payments File Transmission servlet (/OA_HTML/ibytransmit, CODEX_PULL/FULL_FILE_PATH) for an unauthenticated file read on EBS 12.2.3-12.2.15 -- exploited in the wild, not yet on KEV. Detection, patch and IR.
π¨ CVE-2026-48558 β SimpleHelp OIDC auth bypass (CVSS 10.0)
π With OIDC SSO on, SimpleHelp accepts the login token without verifying its signature (CWE-347). Remote + unauthenticated β forge a token β full Technician session β pivot to every managed endpoint.
π‘ MFA doesn't save you: the forged identity is a "new" technician who can self-enroll their own MFA device.
Reading the axes straight:
β’ CVSS 10.0 β Scope: Changed (crosses into downstream hosts)
β’ EPSS β low (precondition: OIDC group login enabled)
β’ KEV β added 2026-06-29, exploited in the wild
β Affected: 5.5.15 & earlier + all 6.0 pre-release. Fixed: 5.5.16 / 6.0 RC2.
β οΈ Preserve logs and triage BEFORE upgrading β it's remote-support tooling; don't wipe evidence.
π Full breakdown + IoCs: https://cve.tools/blog/simplehelp-cve-2026-48558-oidc-auth-bypass-explained
π With OIDC SSO on, SimpleHelp accepts the login token without verifying its signature (CWE-347). Remote + unauthenticated β forge a token β full Technician session β pivot to every managed endpoint.
π‘ MFA doesn't save you: the forged identity is a "new" technician who can self-enroll their own MFA device.
Reading the axes straight:
β’ CVSS 10.0 β Scope: Changed (crosses into downstream hosts)
β’ EPSS β low (precondition: OIDC group login enabled)
β’ KEV β added 2026-06-29, exploited in the wild
β Affected: 5.5.15 & earlier + all 6.0 pre-release. Fixed: 5.5.16 / 6.0 RC2.
β οΈ Preserve logs and triage BEFORE upgrading β it's remote-support tooling; don't wipe evidence.
π Full breakdown + IoCs: https://cve.tools/blog/simplehelp-cve-2026-48558-oidc-auth-bypass-explained
CVE Tools
CVE-2026-48558: SimpleHelp OIDC Auth Bypass (CVSS 10.0, KEV, Exploited)
CVE-2026-48558 lets a remote, unauthenticated attacker forge an OIDC token and gain a privileged SimpleHelp technician session, pivoting to every managed endpoint. What it is, the exploitation chain, IoCs, and what to do.
π‘οΈβ‘οΈπ‘οΈ RoguePlanet β Microsoft Defender IS the attack surface
CVE-2026-50656 β unpatched EoP zero-day in Defender's MsMpEng engine. Standard user β SYSTEM on fully patched Windows 10/11.
π CWE-59 link-following in the quarantine pipeline
βΈοΈ VSS oplock makes the race deterministic
πͺ NTFS junction swap redirects Defender's SYSTEM write
π§© 7-stage chain, precompiled PoC on GitHub (1,471β / 592 forks)
Status, kept separate:
β’ CVSS: 7.8 (Microsoft) / 7.0 (NVD) β temporal 7.6
β’ EPSS: 3.4% (87th percentile)
β’ CISA KEV: NOT listed (2026-07-01)
β’ ITW: Qualys says active, MSRC says "not detected" but "Exploitation More Likely" β treat as HIGH
β οΈ No patch yet. Interim controls only: WDAC enforced mode, block virtual-disk auto-mount, alert on MsMpEng.exe spawning a SYSTEM shell.
π Full breakdown: https://cve.tools/blog/cve-2026-50656-rogueplanet-defender-eop
CVE-2026-50656 β unpatched EoP zero-day in Defender's MsMpEng engine. Standard user β SYSTEM on fully patched Windows 10/11.
π CWE-59 link-following in the quarantine pipeline
βΈοΈ VSS oplock makes the race deterministic
πͺ NTFS junction swap redirects Defender's SYSTEM write
π§© 7-stage chain, precompiled PoC on GitHub (1,471β / 592 forks)
Status, kept separate:
β’ CVSS: 7.8 (Microsoft) / 7.0 (NVD) β temporal 7.6
β’ EPSS: 3.4% (87th percentile)
β’ CISA KEV: NOT listed (2026-07-01)
β’ ITW: Qualys says active, MSRC says "not detected" but "Exploitation More Likely" β treat as HIGH
β οΈ No patch yet. Interim controls only: WDAC enforced mode, block virtual-disk auto-mount, alert on MsMpEng.exe spawning a SYSTEM shell.
π Full breakdown: https://cve.tools/blog/cve-2026-50656-rogueplanet-defender-eop
CVE Tools
CVE-2026-50656 RoguePlanet: Unpatched Microsoft Defender EoP Zero-Day
CVE-2026-50656 (RoguePlanet) is an unpatched CWE-59 zero-day in Microsoft Defender's MsMpEng engine. CVSS 7.8, public C++ PoC (1,471 stars), active Nightmare-Eclipse campaign. Full 7-stage kill chain, Sigma/KQL detection rules, and interim controls β no patchβ¦
π¨ CVE-2026-8037 β Progress LoadMaster pre-auth RCE (root)
One unauthenticated request to the management API (POST /accessv2) runs OS commands as root. Root cause: an uninitialised, unterminated heap buffer in the input-escaping routine β a memory bug, not a filter gap.
π» CVSS 9.6 (some outlets 9.8), unauthenticated, root impact
π» LoadMaster, ECS + Object Scale Connection Manager, MOVEit WAF (β MOVEit Transfer)
π» Public PoC + exploitation attempts since 29 Jun (reported unsuccessful, no attribution)
π» Only reachable when the API is enabled β isolate the mgmt interface
β Patch: GA 7.2.63.2 / LTSF 7.2.54.18 (also fixes CVE-2026-33691)
β οΈ Not on CISA KEV yet β don't wait for it
π Full breakdown: https://cve.tools/blog/cve-2026-8037-progress-loadmaster-pre-auth-rce-breakdown
One unauthenticated request to the management API (POST /accessv2) runs OS commands as root. Root cause: an uninitialised, unterminated heap buffer in the input-escaping routine β a memory bug, not a filter gap.
π» CVSS 9.6 (some outlets 9.8), unauthenticated, root impact
π» LoadMaster, ECS + Object Scale Connection Manager, MOVEit WAF (β MOVEit Transfer)
π» Public PoC + exploitation attempts since 29 Jun (reported unsuccessful, no attribution)
π» Only reachable when the API is enabled β isolate the mgmt interface
β Patch: GA 7.2.63.2 / LTSF 7.2.54.18 (also fixes CVE-2026-33691)
β οΈ Not on CISA KEV yet β don't wait for it
π Full breakdown: https://cve.tools/blog/cve-2026-8037-progress-loadmaster-pre-auth-rce-breakdown
CVE Tools
CVE-2026-8037: Progress LoadMaster pre-auth command injection (root RCE), explained
How CVE-2026-8037 abuses an uninitialised, unterminated heap buffer in the Progress LoadMaster /accessv2 API for unauthenticated root RCE across LoadMaster, ECS/Object Scale Connection Manager and MOVEit WAF (fixed 7.2.63.2 / 7.2.54.18). Exploitation attemptsβ¦
π‘ CVE-2026-45659 β the "forgotten" SharePoint RCE now in CISA KEV
β’ CWE-502 deserialization RCE in on-prem SharePoint 2016 / 2019 / Subscription Edition (Online not affected)
β’ CVSS 8.8 β authenticated, but only Site Member permissions
β’ Patched May 2026, but left out of the update summary β in KEV since 1 Jul (deadline passed)
β’ No legit public PoC β GitHub "PoCs" are malware lures
β’ β οΈ Runs in w3wp.exe & steals ASP.NET MachineKeys β patch β eviction, rotate the keys
Chain, affected builds, detection + IR π
https://cve.tools/blog/cve-2026-45659-sharepoint-deserialization-rce-breakdown
β’ CWE-502 deserialization RCE in on-prem SharePoint 2016 / 2019 / Subscription Edition (Online not affected)
β’ CVSS 8.8 β authenticated, but only Site Member permissions
β’ Patched May 2026, but left out of the update summary β in KEV since 1 Jul (deadline passed)
β’ No legit public PoC β GitHub "PoCs" are malware lures
β’ β οΈ Runs in w3wp.exe & steals ASP.NET MachineKeys β patch β eviction, rotate the keys
Chain, affected builds, detection + IR π
https://cve.tools/blog/cve-2026-45659-sharepoint-deserialization-rce-breakdown
CVE Tools
CVE-2026-45659: SharePoint Server deserialization RCE, explained
How CVE-2026-45659 turns an authenticated Site Member login into code execution on on-prem SharePoint 2016/2019/Subscription Edition via CWE-502 deserialization -- in CISA KEV, no public PoC. Affected builds, detection, patch and MachineKey-rotation IR.
