CVE Pulse
4 subscribers
14 links
The vulnerabilities that are actually being exploited. Not by CVSS, by facts: KEV, exploits, who's under fire. Breakdowns, a weekly signal, monthly trends, and how to check your own exposure. By cve.tools.
Download Telegram
Channel created
Channel photo updated
πŸ‘‹ This is CVE Pulse β€” the official channel from cve.tools.

β€œCritical” by CVSS β‰  dangerous. What's dangerous is what's being exploited. We surface exactly those CVEs and break down: what's broken, who's attacking, how to check your own systems, and what to fix first.

Formats: #breakdown of fresh CVEs Β· weekly #signal Β· monthly #trends Β· product #release.

Verify any CVE β†’ cve.tools/verify
Breakdowns & trends β†’ cve.tools
CVE Pulse pinned Β«πŸ‘‹ This is CVE Pulse β€” the official channel from cve.tools. β€œCritical” by CVSS β‰  dangerous. What's dangerous is what's being exploited. We surface exactly those CVEs and break down: what's broken, who's attacking, how to check your own systems, and what to…»
πŸ›‘οΈ CVE-2026-39893 β€” Cacti pre-auth SQL injection (CVSS 9.8)

Cacti ≀ 1.2.30: the graph-filter "rfilter" is concatenated into a MySQL RLIKE clause in graph_view.php with only a regex check. A quote slips past into the database.

β€’ Pre-auth ONLY if guest graph viewing is enabled (off by default) β†’ otherwise authenticated-only. The 9.8 is worst-case.
β€’ No public PoC / KEV / in-the-wild activity yet (3 Jul 2026).
β€’ But: the same bug was an unauth SQLi in 2023 (CVE-2023-39361), and Cacti pre-auth bugs turn into botnets fast β†’ patch before the PoC.

βœ… Fix: upgrade to 1.2.31. Stopgap: disable guest access + WAF rule rejecting a quote in rfilter.

πŸ“– Full breakdown: https://cve.tools/blog/cacti-cve-2026-39893-rfilter-sql-injection-explained
πŸ”΄ CVE-2025-61882 β€” Oracle EBS pre-auth RCE, exploited in the wild

βš™οΈ CVSS 9.8 β€” unauthenticated, network, no user interaction
🏒 Oracle E-Business Suite 12.2.3–12.2.14
πŸ“ˆ EPSS 0.997 (99.95th pct) β€” public exploit exists
🚨 CISA KEV β€” listed 6 Oct 2025, ransomware-flagged
πŸ•΅οΈ Cl0p zero-day since ~9 Aug 2025 (traces to 10 Jul) β€” long dwell time

πŸ”‘ Mechanism: XSLT / XSL template injection (javax.script eval), NOT deserialization
⚠️ Patch β‰  done: also apply CVE-2025-61884, and if you were exposed β€” hunt for a web shell + rotate secrets. Patching won't undo stolen data.
🧩 Operators (Cl0p) β‰  leakers (Scattered Lapsus$ Hunters). Google does NOT attribute exploitation to ShinyHunters.

Confirmed victims: The Washington Post, GlobalLogic/Hitachi, Harvard, Dartmouth, Envoy Air.

πŸ“– Full breakdown β†’ https://cve.tools/blog/cve-2025-61882-oracle-ebs-preauth-rce-cl0p
🚨 Cisco Catalyst SD-WAN β€” CVE-2026-20245 (root access)

Exploited as a 0-day ~2 months before Cisco disclosed it. Now on CISA KEV; June 23 federal patch deadline has passed.

Read the numbers honestly:
πŸ“Š CVSS 7.8 HIGH β€” but LOCAL + netadmin (privesc to root, not an internet RCE)
🎯 KEV: confirmed in-the-wild exploitation
πŸ“ˆ EPSS: top ~5% (94.99th percentile)

β›“ The real risk is the chain: auth-bypass bugs CVE-2026-20182 (CVSS 10.0) + CVE-2026-20127 β†’ netadmin, then 20245 β†’ commands as root on vManage/vSmart/vBond, a hidden root account, logs wiped.
πŸ›  No workaround β€” upgrade, and patch the whole chain.
πŸ•΅οΈ SD-WAN gear runs no EDR β€” no alerts β‰  clean. Assume-breach and hunt.

πŸ“– Full breakdown + IoCs: https://cve.tools/blog/cisco-sd-wan-cve-2026-20245-root-access-explained
πŸ”₯ CVE-2026-24858 + FortiBleed: patch the bug, but chase the credentials

πŸ›‘ The CVE: FortiCloud SSO auth bypass (CWE-288), pre-auth, CVSS 9.8, on CISA KEV since Jan 27, 2026 β€” but PATCHED by Fortinet in January (FG-IR-26-060).
🩸 FortiBleed: the live credential campaign. Fortinet says it's NOT a new exploit β€” it's reuse + brute force. This CVE helped fill the pool.
πŸ“Š SOCRadar: 86,644 exposed devices, 194 countries β€” ~half of internet-facing Fortinet. "FortigateSniffer" implants sniff creds across ~24 protocols.
❓ Attribution to a Russian-speaking broker ("SantaAd") is tentative and unconfirmed.

βœ… Today: rotate every Fortinet credential + enforce MFA. Patching alone won't undo harvested creds.

πŸ“– Full breakdown: https://cve.tools/blog/cve-2026-24858-fortinet-sso-bypass-fortibleed-explained
🚨 UniFi OS Server β€” unauthenticated RCE to root

CVE-2026-34910 Β· CVSS 10.0 Β· on CISA KEV Β· exploited in the wild

πŸ”— The chain (per Bishop Fox, validated on live 5.0.6):
β€’ CVE-2026-34908 + CVE-2026-34909 β€” auth bypass (raw-vs-normalized URI)
β€’ CVE-2026-34910 β€” command injection via an unvalidated package name
β€’ passwordless sudo β†’ trivial root

⚠️ No password, no user interaction, no failed-login trail to hunt.
πŸ‘€ In the wild: rogue "John Sim" admin accounts + Mirai-style botnet. Detection script published; no working exploit released.

βœ… Fix: upgrade UniFi OS Server to 5.0.8+ (also 5.1.10/5.1.11/5.1.12), take the mgmt UI off the internet, assume-breach hunt.

πŸ“– Full breakdown: https://cve.tools/blog/unifi-os-cve-2026-34910-unauthenticated-rce-chain-explained
🚨 CVE-2026-35273 β€” Oracle PeopleSoft pre-auth RCE, exploited as a 0-day

β€’ πŸ’₯ CVSS 9.8, unauthenticated RCE in PeopleTools 8.61/8.62 (PSEMHUB) Β· EPSS 0.9233 (~99.8th pct)
β€’ πŸ“… Exploited May 27–June 9, 2026 β€” before Oracle's patch Β· now on CISA KEV (due 2026-06-15)
β€’ πŸ”— Chain: SSRF via /PSIGW/HttpListeningConnector β†’ POST /PSEMHUB/hub β†’ Java deserialization RCE
β€’ πŸ•΅οΈ Google/Mandiant attribute it to ShinyHunters-linked UNC6240 β€” data-theft extortion (pay-or-leak), NOT encryption
β€’ πŸŽ“ 100+ orgs notified, ~68% higher ed Β· Victims: U. of Nottingham (~455k), NAIC (~3.1 TB)
β€’ ⚠️ Patched before June 10? Still vulnerable. Webshells + XMLDecoder .xml survive patching β€” hunt before you restart
β€’ πŸ›‘οΈ Cheap fix: deny /PSEMHUB/* and /PSIGW/HttpListeningConnector at the perimeter

πŸ“– Full breakdown, IoCs & hunt commands: https://cve.tools/blog/cve-2026-35273-peoplesoft-psemhub-rce-breakdown
πŸͺŸ CVE-2026-44812 β€” Win32k GRFX graphics RCE in the Preview Pane

πŸ”Ž CWE-190 integer overflow in Windows Win32k GRFX β†’ heap corruption β†’ local code execution
πŸ“ CVSS 7.8 HIGH Β· AV:L / UI:R β€” victim previews/opens a crafted graphics file in the Explorer Preview Pane
πŸ—“ June 2026 Patch Tuesday (disclosed 2026-06-09)

βš–οΈ The "conflict" that isn't:
β€’ MSRC: "Exploitation More Likely" (forward-looking code-path judgment)
β€’ EPSS ~0.44% (~35th pct, 2026-07-01) Β· no public PoC Β· NOT in CISA KEV
β†’ attractive future target, not a live threat today

βœ… Standard June patch ring for most assets
🚨 Escalate: multi-user terminal servers, VDI, RDP hosts, jump boxes
πŸ“± Also Office for Android β€” fixed 2026-06-15, push via MDM/Play Store (Windows Update won't)
πŸ” Re-triage as emergency on: public PoC Β· EPSS >~5% Β· KEV listing

πŸ“– Full breakdown: https://cve.tools/blog/cve-2026-44812-win32k-grfx-rce-breakdown
🚨 CVE-2026-45657 β€” Windows kernel TCP/IP UAF, wormable RCE

πŸ”“ CVSS 9.8 Β· unauthenticated Β· no user interaction β†’ code exec at SYSTEM
🧬 Use-after-free (CWE-416) + heap overflow (CWE-122) in the kernel IP stack (attributed to tcpip.sys). ZDI: "Yup β€” this is wormable." EternalBlue-class profile, but IP stack, not SMB β€” no single port to firewall.
🩹 Patched 2026-06-09 (part of a record 208-CVE Patch Tuesday). Patch-only β€” no workaround.

🧊 Honest status (2026-07-01):
β€’ No public PoC (0 GitHub repos)
β€’ NOT in CISA KEV
β€’ MS: "Exploitation Less Likely" Β· EPSS ~0.155
β€’ The June in-the-wild bug was CVE-2026-41091 (Defender), not this
β†’ but the patch diff is the exploit roadmap, being reversed now. Patch internet-facing + flat-internal within ~7 days.

πŸ–₯ Affected: Win 11 23H2/24H2/25H2/26H1 Β· Server 2022/2025 (incl. Server Core)

πŸ“– Full breakdown (KB/build matrix, attack chain, detection):
https://cve.tools/blog/cve-2026-45657-windows-kernel-tcpip-uaf-wormable-rce-breakdown

πŸ”Ž No port to block β€” exposure = who can reach the host. See what an attacker sees, free:
πŸ”΄ CVE-2026-46817 β€” Oracle EBS Payments unauth file read (CVSS 9.8)

⚠️ Exploited in the wild since 27 June 2026 β€” before any public PoC existed.
🎭 The signal trap: EPSS just 0.68% β€’ NOT on CISA KEV yet. Both lag private exploits β€” don't wait for them.

How it works:
β€’ Unauth POST β†’ /OA_HTML/ibytransmit (Payments File Transmission)
β€’ Abuses CODEX_PULL + FULL_FILE_PATH β†’ reads any server file (PoC: /etc/passwd)
β€’ Loot: dbc/context files, EBS wallet, payment API keys
β€’ Confirmed primitive = file read, not RCE (Oracle scores it as full takeover because of the readable secrets)

πŸ“¦ Affected: EBS 12.2.3–12.2.15 β€’ Fix: May 2026 Oracle CPU β€’ ~900–950 instances internet-exposed
🚫 No credible actor attribution β€” and this is NOT the 2025 Cl0p / CVE-2025-61882 bug.

βœ… Do now: patch β†’ block /OA_HTML/ibytransmit externally β†’ rotate secrets if you were exposed (patching won't undo credential theft).

πŸ“– Full breakdown: https://cve.tools/blog/cve-2026-46817-oracle-ebs-payments-file-read-breakdown
🚨 CVE-2026-48558 β€” SimpleHelp OIDC auth bypass (CVSS 10.0)

πŸ”“ With OIDC SSO on, SimpleHelp accepts the login token without verifying its signature (CWE-347). Remote + unauthenticated β†’ forge a token β†’ full Technician session β†’ pivot to every managed endpoint.
πŸ›‘ MFA doesn't save you: the forged identity is a "new" technician who can self-enroll their own MFA device.

Reading the axes straight:
β€’ CVSS 10.0 β€” Scope: Changed (crosses into downstream hosts)
β€’ EPSS β€” low (precondition: OIDC group login enabled)
β€’ KEV β€” added 2026-06-29, exploited in the wild

βœ… Affected: 5.5.15 & earlier + all 6.0 pre-release. Fixed: 5.5.16 / 6.0 RC2.
⚠️ Preserve logs and triage BEFORE upgrading β€” it's remote-support tooling; don't wipe evidence.

πŸ“– Full breakdown + IoCs: https://cve.tools/blog/simplehelp-cve-2026-48558-oidc-auth-bypass-explained
πŸ›‘οΈβž‘οΈπŸ—‘οΈ RoguePlanet β€” Microsoft Defender IS the attack surface

CVE-2026-50656 β€” unpatched EoP zero-day in Defender's MsMpEng engine. Standard user β†’ SYSTEM on fully patched Windows 10/11.

πŸ”— CWE-59 link-following in the quarantine pipeline
⏸️ VSS oplock makes the race deterministic
πŸͺ NTFS junction swap redirects Defender's SYSTEM write
🧩 7-stage chain, precompiled PoC on GitHub (1,471β˜… / 592 forks)

Status, kept separate:
β€’ CVSS: 7.8 (Microsoft) / 7.0 (NVD) β€” temporal 7.6
β€’ EPSS: 3.4% (87th percentile)
β€’ CISA KEV: NOT listed (2026-07-01)
β€’ ITW: Qualys says active, MSRC says "not detected" but "Exploitation More Likely" β†’ treat as HIGH

⚠️ No patch yet. Interim controls only: WDAC enforced mode, block virtual-disk auto-mount, alert on MsMpEng.exe spawning a SYSTEM shell.

πŸ“– Full breakdown: https://cve.tools/blog/cve-2026-50656-rogueplanet-defender-eop
🚨 CVE-2026-8037 β€” Progress LoadMaster pre-auth RCE (root)

One unauthenticated request to the management API (POST /accessv2) runs OS commands as root. Root cause: an uninitialised, unterminated heap buffer in the input-escaping routine β€” a memory bug, not a filter gap.

πŸ”» CVSS 9.6 (some outlets 9.8), unauthenticated, root impact
πŸ”» LoadMaster, ECS + Object Scale Connection Manager, MOVEit WAF (β‰  MOVEit Transfer)
πŸ”» Public PoC + exploitation attempts since 29 Jun (reported unsuccessful, no attribution)
πŸ”» Only reachable when the API is enabled β€” isolate the mgmt interface
βœ… Patch: GA 7.2.63.2 / LTSF 7.2.54.18 (also fixes CVE-2026-33691)
⚠️ Not on CISA KEV yet β€” don't wait for it

πŸ“– Full breakdown: https://cve.tools/blog/cve-2026-8037-progress-loadmaster-pre-auth-rce-breakdown
πŸ›‘ CVE-2026-45659 β€” the "forgotten" SharePoint RCE now in CISA KEV

β€’ CWE-502 deserialization RCE in on-prem SharePoint 2016 / 2019 / Subscription Edition (Online not affected)
β€’ CVSS 8.8 β€” authenticated, but only Site Member permissions
β€’ Patched May 2026, but left out of the update summary β†’ in KEV since 1 Jul (deadline passed)
β€’ No legit public PoC β€” GitHub "PoCs" are malware lures
β€’ ⚠️ Runs in w3wp.exe & steals ASP.NET MachineKeys β€” patch β‰  eviction, rotate the keys

Chain, affected builds, detection + IR πŸ‘‡
https://cve.tools/blog/cve-2026-45659-sharepoint-deserialization-rce-breakdown