Attackers are actively exploiting a pair of critical Fortinet vulnerabilities in FortiSandbox, a security product customers use to identify and defend against emerging threats across their network, according to researchers.

Fortinet disclosed and patched the vulnerabilities — CVE-2026-39808 and CVE-2026-39813 — in April, but it hasn’t confirmed exploitation. The company did not respond to a request for comment. 

VulnCheck said it first observed exploitation of CVE-2026-39808, an OS-command injection vulnerability, on June 9. Researchers at threat intelligence firm Defused confirmed exploitation of the same defect June 11, and CVE-2026-39813, a path-traversal vulnerability, on June 15. 

Simo Kohonen, founder and CEO of Defused, said the firm observed 49 exploitation events from 11 distinct IPs against the pair of defects over a six-day period. Attackers are also attempting to exploit a third FortiSandox vulnerability, CVE-2026-25089, which Fortinet disclosed and patched June 9, he added.

Researchers haven’t determined how many Fortinet customers are directly impacted, yet post-exploitation activity thus far, which includes verification and reconnaissance, usually precedes a heavier wave of attacks, Kohonen said. 

Defused traced the malicious activity to 13 sources originating from nine countries, including China, South Korea, Taiwan, India, Singapore, Germany, the Netherlands, Canada and Bulgaria. 

“The spread and the share proof-of-concepts point to multiple independent operators on commodity infrastructure, not one campaign,” Kohonen told CyberScoop.

Researchers said they haven’t observed evidence attackers are chaining the vulnerabilities together, but the exploits are functioning with one another by bypassing authentication, escalating privileges and allowing attackers to execute arbitrary commands.

The exploits, which multiple research firms have observed in honeypots, mark the early stages of another potential wave of attacks targeting Fortinet customers.

The Cybersecurity and Infrastructure Security Agency has flagged 26 Fortinet vulnerabilities in its known exploited vulnerabilities catalog since 2021. As of Wednesday, the agency hasn’t added any of the new Fortinet defects to its catalog.

Researchers warn that the vulnerabilities affect a significant device in enterprise security architecture. 

“Sandbox appliances are typically trusted systems used to analyze suspicious content and support broader detection workflows, which means a compromise could provide attackers with elevated access within a security sensitive environment,” Chris Doyle, head of security and compliance at JupiterOne, said in an email. 

Kohonen added: “FortiSandbox is high-value because it ingests from and connects to other Fortinet devices.”

The post Attackers hit pair of critical Fortinet vulnerabilities the vendor disclosed in April appeared first on CyberScoop.

The Cybersecurity and Infrastructure Security Agency on Wednesday ordered federal agencies to prioritize vulnerabilities based on four criteria, as part of push to “patch smarter, not harder.”

Federal agencies should emphasize patches for vulnerabilities that affect a publicly exposed asset, allow an attacker to fully automate exploitation, give attackers the ability to take over control of a system or relate to evidence of active, real-world exploitation, CISA declared.

CISA acting director Nick Andersen previewed the binding operational directive (BOD) Tuesday, framing it as a rethinking of vulnerability management more broadly.

“This Directive provides clear definitions, timelines and criteria that enhances transparency, predictability and agencies’ resource planning to execute more effective vulnerability remediation,” Andersen said in a statement. “CISA is leading and collaborating with federal civilian agencies to stay ahead of our adversaries as tactics, technologies and vulnerabilities change.”

BOD 26-04 sets forth timelines for how quickly agencies must fix a vulnerability based on how many of the four criteria it meets. If it meets all four, for example, agencies need to fix it within three days and carry out a “forensic triage” to assess whether their systems were compromised. 

More generally, agencies must immediately update their vulnerability management policies, including establishing a process for ongoing remediation of known, exploited vulnerabilities (KEVs) on CISA’s “must-patch” list. Within 60 days, agencies need to update their processes for remediating common vulnerabilities, and within 180 days, agencies must meet the order’s remediation timelines.

The directive is motivated in part by how artificial intelligence is shifting the window from vulnerability discovery to weaponization, and CISA said it reflects priorities in an executive order on AI that President Donald Trump signed last week.

BODs aren’t mandatory for anyone outside of federal agencies, but CISA encourages the private sector to embrace them. CISA officials said in a blog post about the need to “patch smarter, not harder” that “defenders are already struggling to keep up.”

“Artificial intelligence is assisting both researchers and adversaries in identifying flaws in software, vastly increasing the pace at which new vulnerabilities are discovered,” wrote Chris Butera, acting executive assistant director for cybersecurity, and Jonathan Spring , senior technical adviser. “Per Verizon’s 2026 Data Breach Investigations Report, only 26% of vulnerabilities on CISA’s Known Exploited Vulnerabilities (KEV) Catalog were fully remediated by organizations in 2025, a drop from the previous year’s 38%. The median time for full resolution rose to 43 days.”

The move from weeks to days for agencies to patch the most urgent vulnerabilities is something CISA has discussed with some agencies to see if it’s doable, Butera told reporters Wednesday. At one large agency CISA analyzed, just 1% of vulnerabilities fell into the 3-day window, while 60% could be deferred to the next system upgrade.

“We’ve engaged with a few federal agencies ahead of this directive and tried to socialize some of these new time frames,” he said. “We really believe we should be able to free up some time to patch the most urgent vulnerabilities faster, while allowing for more regular patch cycles for some of the lower risk vulnerabilities.”

Patrick Garrity, a security researcher at VulnCheck, said the CISA directive joins similar guidance out of India and the United Kingdom.

“It’s clear the momentum is growing and pushing in the right direction,” he told CyberScoop. “The new directive aligns exactly with the approach we’ve been taking with customers for years, leveraging exploit intelligence to focus on the subset of vulnerabilities that enterprises, governments and vendors really need to address. While it’s mandated for federal organizations, it’s something the private sector should pay attention to as well.”

Tod Beardsley, vice president of security research at runZero and former KEV section chief at CISA, wrote on LinkedIn that there are several noteworthy potential impacts of the BOD, among them that he thinks three-day deadlines will end up being frequent.

“I remain dubious that a three day deadline spread across more than a hundred agencies is an achievable patch cadence today, but we’ll all find out together,” he said.

Updated 6/10/26: Includes Chris Butera comments on timelines, and comments from Patrick Garrity and Tod Beardsley.

The post CISA directive orders agencies to prioritize vulnerability patching in a new way appeared first on CyberScoop.

Cisco customers are confronting yet another actively exploited zero-day vulnerability affecting the vendor’s SD-WAN management software, reinforcing pressure on organizations that have experienced rare breaks from active threats this year.

The vulnerability — CVE-2026-20245 — marks the seventh actively exploited zero-day in Cisco SD-WANs this year.

Cisco said it first became aware of active exploitation of the latest defect in the network management software earlier this month. The company disclosed the vulnerability, which was first spotted by Mandiant, on Thursday and warned that a security patch is not yet available and there are no workarounds to mitigate the defect in the meantime.

“A patch for this vulnerability will be provided on a future date,” a company spokesperson said in a statement. 

Cisco did not attribute the attacks to any specific group, describe the objectives of those attacks or share how many organizations have already been impacted.

The validation error defect affecting the Cisco Catalyst SD-WAN Manager allows authenticated or local attackers to execute commands as root, resulting in command-injection attacks on an affected system, the company said.

Yet, the scope of potential impact may be limited because exploitation requires valid credentials or privileged access through other means. Cisco said exploitation of a pair of zero-days it disclosed earlier this year —  CVE-2026-20182 or CVE-2026-20127 — could allow attackers the access required to exploit the new vulnerability. 

The company said it is “not aware of successful exploitation by other means,” adding that it “observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices.”

Landon Rice, senior exploit developer at VulnCheck, said the need for existing privileges “makes an attacker heavily reliant on previous vulnerabilities, or a net-new initial access vector, in order to be able to reach the privilege escalation path.”

Cisco advised customers to upgrade to fixed software released in May as part of its response to CVE-2026-20182 as a protective measure. 

Absent a patch that would provide organizations more protection against the new vulnerability, Cisco provided some indicators of compromise but noted that those same log entries may occur during standard operations. The company encouraged customers that need help distinguishing between legitimate and malicious activity to contact Cisco Technical Assistance Centers.

Cisco isn’t the only security vendor facing an onslaught of attacks on its customers, but it is among the most heavily targeted. The Cybersecurity and Infrastructure Security Agency has added seven vulnerabilities affecting Cisco SD-WANs and firewalls to its known exploited vulnerabilities catalog this year, not including CVE-2026-20245, which has yet to be added to the catalog.

The post Cisco customers encounter another SD-WAN zero-day under attack appeared first on CyberScoop.

Researchers and threat hunters are scrambling to respond to an actively exploited authentication-bypass vulnerability affecting Palo Alto Networks customers’ firewalls. 

The company initially tagged CVE-2026-0257 with a medium-severity rating when it disclosed the defect May 13, but quickly reassessed it as critical after Rapid7 observed and confirmed active exploitation in the wild. The Cybersecurity and Infrastructure Security Agency followed suit, and added the vulnerability to its known exploited vulnerabilities catalog Friday.

The escalated threat posed by the defect, which allows remote attackers to bypass security restrictions and establish a VPN connection to an affected firewall, showcases how quickly a seemingly mild vulnerability can turn into an urgent warning. 

“Palo Alto Networks is actively monitoring limited exploitation attempts targeting CVE-2026-0257 on unpatched PAN-OS devices where mitigations have not been applied,” a company spokesperson said in a statement. The company on Friday urged all customers to immediately apply the patch or follow its recommended steps for mitigation. 

The vendor and Rapid7, which first observed exploitation May 17 in a customer environment, declined to say how many organizations are impacted thus far. Yet, Douglas McKee, director of vulnerability intelligence at Rapid7, warned: “We’ve continued to see new victims roll in, including a couple of customers hit within just an hour of each other during a second wave of activity” on May 21. 

Jake Knott, security researcher at watchTowr, told CyberScoop the vulnerability and resulting exploits follows a recurring trend wherein attackers target exposed network edge devices and rapidly identify, develop and weaponize exploits for initial access. 

“This is yet another authentication bypass on a device whose sole job is to guard the front door to an organization’s network,” he said. “What stands out is how simple it is — an attacker can forge a valid authentication cookie using nothing more than the appliance’s publicly available TLS certificate. The entire exploit is a single HTTP request.”

The vulnerability has a few requisites that limit exposure, specifically posing risk to some Palo Alto Networks customers running GlobalProtect portal or gateway configured to enable authentication override cookies. 

“The cookie encryption and decryption certificate must be reused with another feature, which potentially exposes the public key for that certificate,” said Caitlin Condon, vice president of security research at VulnCheck.

“It’s difficult to say how many deployments meet those criteria for exploitability, but Palo Alto Networks firewalls have a very large footprint, which means even uncommon configurations can present significant attack surface area,” she added.

Rapid7 said the same attacker or group is likely responsible for both waves of exploitation last month, but in many cases attackers are not establishing a full VPN connection or moving to other parts of the impacted network. 

The attackers are “highly opportunistic and clearly monitor the security research community,” McKee said. “Attackers are purposefully weaponizing medium-severity vulnerabilities, which are typically lower priority or blind spots for organizations.”

Multiple threat clusters are swarming to the opportunity and quickly adapting to published research.  Researchers have not attributed the malicious activity to any specific threat groups. 

“Their exact origins and long-term objectives remain unclear, as they currently seem focused purely on opportunistic initial access rather than targeted, long-term espionage,” McKee said. 

Palo Alto Networks said it discovered the vulnerability internally through its use of frontier AI tools. Yet, within days of its public disclosure, initial assessments were proven inadequate.

“This is a pattern we continue to see — the urgency only arrives after exploitation is underway,” Knott said. “Organizations that wait for confirmation of active exploitation before patching will consistently find themselves reacting too late.”

The post Attackers are exploiting Palo Alto Networks defect that initially flew under the radar appeared first on CyberScoop.

Attackers are hitting Ivanti customers yet again — circling back to a common target and consistently susceptible vendor in the network edge space — by exploiting a zero-day vulnerability in one of the company’s most besieged products. 

Ivanti warned customers that attackers have successfully exploited CVE-2026-6973, an improper input validation defect in Ivanti Endpoint Manager Mobile (EPMM) that allows authenticated users with administrative privileges to run code remotely. The company alerted customers to the threat in a security advisory Thursday while also disclosing four additional high-severity vulnerabilities in the same product.

“At the time of disclosure, Ivanti is aware of very limited exploitation in the wild of CVE-2026-6973, which requires authenticated administrative access to implement,” a spokesperson for Ivanti said in a statement.

Ivanti did not say when the first instance of exploitation occurred, or precisely how many customers have already been impacted.

The Cybersecurity and Infrastructure Security Agency added the zero-day to its known exploited vulnerabilities catalog within hours of Ivanti’s disclosure.

The company released patches for all five vulnerabilities Thursday, including the four additional defects — CVE-2026-5787, CVE-2026-5788, CVE-2026-6973 and CVE-2026-7821 — which it said haven’t been exploited in the wild.

“Ivanti discovered these vulnerabilities in recent weeks through internal detection processes which are supported by advanced AI, customer collaboration, and responsible disclosure,” the company spokesperson said. One of the defects was discovered and responsibly reported to Ivanti by a former employee.

The company suggested at least one of the root causes for the latest zero-day may be traced to lingering risk posed by a pair of separate, critical zero-days — CVE-2026-1281 and CVE-2026-1340 — that were exploited starting in late January. The fallout from those exploited vulnerabilities in Ivanti EPMM spread to nearly 100 victims, including The Netherlands’ Dutch Data Protection Authority and the Council for the Judiciary, by early February.

The latest Ivanti EPMM zero-day “requires authenticated administrative access to exploit, which is why customers who followed Ivanti’s recommendation in January to rotate EPMM credentials are at significantly reduced risk. Customers unaffected by the prior vulnerability are also at a much lower risk,” the company spokesperson said.

Caitlin Condon, vice president of security research at VulnCheck, said the administrative privileges required to exploit CVE-2026-6973 indicates it was possibly exploited as part of an attack chain relying on another method for initial access. 

“No attribution was shared on threat actor exploitation of CVE-2026-6973, but two other 2026 CVEs in Ivanti EPMM — CVE-2026-1281 and CVE-2026-1340 — have been exploited by a range of threat actors, including China- and Iran-attributed groups,” Condon told CyberScoop. 

“Those vulnerabilities notably were code-injection vulnerabilities that were remotely exploitable without authentication, unlike CVE-2026-6973,” she added. “Both CVE-2026-1281 and CVE-2026-1340 appear to have been fixed in today’s Ivanti release. Comparatively, these earlier vulns were of higher initial concern than today’s fresh zero-day vulnerability, which requires admin authentication.”

Attacks involving Ivanti defects are a recurring problem for the vendor’s customers and security practitioners at large, including many vulnerabilities that attackers exploited before the company caught or fixed the errors. 

The Cybersecurity and Infrastructure Security Agency has flagged 34 Ivanti defects on its known exploited vulnerabilities catalog since late 2021. At least 22 defects across Ivanti products have been exploited in the past two years, including five vulnerabilities in Ivanti EPMM in the last year.

During an interview with CyberScoop in March at the RSAC Conference, Ivanti Chief Security Officer Daniel Spicer said the company’s transparency partly explains the high number of vulnerabilities reported and disclosed in its products. 

“My position here at Ivanti is it doesn’t do our customers any good to be quiet about this,” he said, describing the company’s communication stance with the public, CISA and global partners as “very aggressive.”

That’s not always the case with other vendors, Spicer said. “I don’t know that transparency is a core tenant of all other organizations.”

The company, which serves many government agencies and critical infrastructure operators, also routinely notes that highly skilled and resourced attackers, including those backed by nation-states, are often responsible for these waves of attacks on its customers.

Ivanti maintains that it’s trying to consistently improve the security of its products. “Through continued investment in its product security program, including the use of advanced AI paired with human verification, Ivanti is strengthening its ability to identify, remediate, and disclose issues quickly, helping customers stay ahead of an increasingly compressed threat landscape,” the spokesperson said.

The way Spicer put it in March: “We want to make sure that people understand that we are trying to do the right thing.”

The post Ivanti customers confront yet another actively exploited zero-day appeared first on CyberScoop.

Attackers are actively exploiting a zero-day vulnerability affecting some Palo Alto Networks’ customers’ firewalls, the security vendor said in an advisory Tuesday.

The critical memory corruption vulnerability — CVE-2026-0300 — affects the authentication portal of PAN-OS, and allows unauthenticated attackers to run  code with root privileges on the vendor’s PA-Series and VM-Series firewalls, the company said.

Palo Alto Networks did not say when or how it became aware of active exploitation, nor when the earliest known exploitation occurred. The Cybersecurity and Infrastructure Security Agency added the defect to its known exploited vulnerabilities catalog Wednesday.

The company hasn’t released a patch for the vulnerability or described the scope and objective of confirmed attacks.

“This vulnerability is specific to a limited number of customers with their User-ID Authentication Portal (Captive Portal) exposed to the public internet or untrusted IP addresses. We have observed limited exploitation of this issue and are working to release software fixes, with the first updates expected to be available on May 13,” a Palo Alto Networks spokesperson told CyberScoop.

The company said firewalls exposed to the buffer-overflow vulnerability, which has a CVSS rating of 9.3, are broadly exposed in real-world deployments, and it described the attack complexity as low.

Shadowserver scans found more than 5,800 publicly exposed VM-Series firewalls running PAN-OS as of Tuesday, yet it’s unknown how many of those instances have restricted authentication access to trusted internal IP addresses or disabled the feature altogether.

“We have provided clear mitigation guidance to our customers to secure their environments immediately. This issue does not impact Cloud NGFW or Panorama appliances. We remain committed to a transparent, security-first approach to protect our global customer base,” Palo Alto Networks’ spokesperson added.

Benjamin Harris, CEO and founder of watchTowr, noted that Palo Alto Networks proactively alerted customers to the zero-day, a step that allowed defenders to take action on potentially exposed instances. 

“In a bad situation, that is the best they can do immediately. However, that also alerts everyone to the existence of a vulnerability,” he told CyberScoop.

Despite the risk, Harris said watchTowr expects attacks linked to the zero-day exploit to be “very limited.” 

Palo Alto Networks and its impacted customers remain the only parties to have observed exploitation in the wild, but researchers warn that will likely change soon. 

“It’s likely rules will also start to fire in third-party organizations and honeypots shortly,” Caitlin Condon, vice president of security research at VulnCheck, told CyberScoop. 

“Management interfaces, login pages, and authentication portals have been common adversary targets for both opportunistic and targeted campaigns in recent years,” she added. “With researcher and community eyes on the vulnerability, it’s likely that we’ll see public exploits and broader exploitation quickly, provided the issue isn’t prohibitively difficult to exploit.”

Palo Alto Networks has yet to attribute the attacks to any known threat group, publish indicators or compromise, nor disclose the type of organizations that have been targeted and impacted. 

Researchers are hunting for malicious activity and advise customers to apply patches upon release.

The post A critical Palo Alto PAN-OS zero-day is being exploited in the wild appeared first on CyberScoop.

Attackers are actively exploiting a Linux vulnerability in the wild, and researchers warn that the fallout could be broad — anyone with authenticated local access can leverage it to gain total control of a system. 

But the story behind CVE-2026-31431 is almost as interesting as the bug itself. Theori, the company that discovered the bug, leaned heavily on AI to find and initially disclose it. The result is a case study that  underscores the challenges that occur when the relentless hunt for defects collides with marketing impulses and inflated AI-generated language that was long on bluster but lacked technical details. 

Theori dubbed the high-severity vulnerability “Copy Fail” with a vanity domain containing AI-generated content, and warned that every mainstream Linux kernel built since 2017 is in scope of potential exploitation resulting in root access. 

Theori’s AI-powered penetration testing platform, Xint, discovered the local privilege-escalation flaw in a Linux kernel module and reported it to the Linux kernel security team March 23. Major Linux distributions affected by the vulnerability had issued patches prior to Theori’s disclosure, which it published alongside a proof-of-concept exploit. 

The Cybersecurity and Infrastructure Security Agency added CVE-2026-31431 to its known exploited vulnerabilities catalog Friday.

Researchers have yet to determine how many organizations have been impacted by the flaw, but they noted that critical requirements for exploitation, specifically local access achieved through a separate exploit or pathway to unauthorized access, should limit potential exposure.

“The attacker would need to have already established a foothold on the target system either through some means of legitimate access or another exploit,” Spencer McIntyre, secure researcher at Rapid7, told CyberScoop. “That’s a large limiting factor since this vulnerability would therefore need to be paired with another.”

Theori’s disclosure turned heads among other vulnerability researchers who noted the defect’s broad potential impact, but also for lacking details about the proof-of-concept exploit. 

“The exploit is real, there is something to worry about, but understandably, teams now have to do additional validation to know how to parse the extreme AI FUD (fear, uncertainty and doubt) from [Theori’s] blog post,” Caitlin Condon, vice president of security research at VulnCheck, told CyberScoop. 

“It’s not helpful that the blog is AI slop, because it detracts from technical reality,” she added. 

Theori acknowledges it used AI to discover and describe the vulnerability, explaining that it’s focusing on finding and fixing a large amount of defects. 

“We used AI to help craft the disclosure site and the blog post to help speed things up, but all material was thoroughly reviewed by our internal teams for accuracy,” said Tim Becker, senior security researcher at Theori. 

Theori is intentionally withholding additional details until the patch is broadly applied, he added.

“We stand by our technical description of the vulnerability. Helping downstream users to understand the impact of a security bug has always been a challenge for security researchers,” Becker said. “Copy Fail allows for trivial privilege escalation on most desktop and server Linux distributions. It also has implications for containerization including Kubernetes.”

Other researchers have drawn similar conclusions, noting that exploitation can be automated and doesn’t require specialization. 

Meanwhile, hundreds of additional proof-of-concept exploits have surfaced since the vulnerability was disclosed five days ago. “As expected, the majority of these appear to be copycat AI PoCs that do nothing but add banners or different colors to the command-line interface. Many new PoCs are simply ports of the original AI PoC to a different programming language,” Condon said. 

“Organizations should exercise caution when running untested research artifacts, including AI-generated exploit code that isn’t fully explained,” she added. 

Becker said Theori is aware of the burden defenders confront, and insists the company’s reports contain enough information for organizations to quickly triage and validate its findings.

The post ‘Copy Fail’ is a real Linux security crisis wrapped in AI slop appeared first on CyberScoop.

A severe authentication bypass vulnerability in cPanel, one of the most widely deployed web hosting control panel platforms on the internet, is being actively exploited in the wild, according to security researchers and hosting providers.

The vulnerability, tracked as CVE-2026-41940, affects all supported versions of cPanel and WebHost Manager (WHM) released after version 11.40, as well as WP Squared, a WordPress hosting management panel built on the cPanel platform. Internet scans conducted by security firm Rapid7 using the Shodan search engine identified approximately 1.5 million cPanel instances exposed online, though the precise number of vulnerable systems remains unknown.

cPanel released a patch Tuesday. By that point, exploitation had already been underway. KnownHost, a hosting provider that relies on cPanel, said earlier this week that successful exploits had been observed in the wild prior to any fix being made available. 

The Cybersecurity and Infrastructure Security Agency added the CVE to its Known Exploited Vulnerabilities (KEV) list Thursday. 

Cybersecurity firm watchTowr provided technical details in a blog posted Wednesday: The flaw stems from improper handling of user input during the login process. When a user attempts to log in, cPanel writes data from the request into a server-side session file before verifying the user’s identity. An attacker can exploit this by embedding hidden line breaks into the password field of a login request — characters cPanel fails to strip out — allowing arbitrary data to be injected directly into that file.

Through a secondary step, also involving a deliberately malformed request, the injected data gets promoted into the session’s active cache, where cPanel reads it as legitimate. Once that happens, the system sees the session as already authenticated and skips password verification entirely, granting access without ever checking the user’s actual credentials.

cPanel has published a detection script designed to scan session files for indicators of compromise, including sessions that contain injected authentication timestamps, pre-authentication sessions with authenticated attributes, and password fields containing embedded newlines. WatchTowr separately released a “Detection Artifact Generator” that administrators can use to verify whether their instances remain vulnerable.

Namecheap, a major domain registrar and hosting provider, took the step of temporarily blocking connections to cPanel and WHM ports 2083 and 2087 ahead of patch availability, citing the need to protect customers while an official fix was pending. The company began applying the patch after cPanel’s release earlier this week.

cPanel’s patched releases address the issue across seven version branches, from 11.110.0 through 11.136.0, as well as WP Squared version 11.136.1. The company’s advisory notes that the fix ensures potentially dangerous input is scrubbed automatically within the core session-saving process, rather than depending on each individual part of the codebase to do so separately. The patch also adds handling for cases where a per-session encryption key is missing, a condition the original code failed to account for and that attackers were able to exploit to bypass password encoding entirely.

The CVE has been given a 9.8 on the CVSS scale. 

The post cPanel’s authentication bypass bug is being exploited in the wild, CISA warns appeared first on CyberScoop.

Fortinet released an emergency software update over the weekend to address an actively exploited vulnerability in FortiClient EMS, an endpoint management tool for customer devices.

The zero-day vulnerability — CVE-2026-35616 — has a CVSS rating of 9.8 and was added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerability catalog Monday. 

Fortinet said in a Saturday security advisory that it has seen the vulnerability being actively exploited in the wild.  The company issued a hotfix and plans to release a more comprehensive software update later, though that update is not yet available.

The security vendor did not say when the earliest known exploit occurred nor how many instances have already been impacted. 

Unknown attackers were first observed attempting to exploit the vulnerability March 31, Benjamin Harris, founder and CEO at watchTowr, told CyberScoop. 

“Exploitation attempts and probes were initially limited, reflecting typical attacker desire to try and keep usage of a zero-day from discovery and observation,” he added. “As of April 6, given attention and Fortinet issuing a hotfix, exploitation has ramped up, indicating growing attacker interest and likely broader targeting.”

Shadowserver scans found nearly 2,000 publicly exposed instances of FortiClient EMS on Sunday. It’s unclear how many of those instances are running vulnerable versions of the software.

The recently discovered zero-day shares similarities with CVE-2026-21643, another unauthenticated FortiClient EMS defect that Fortinet disclosed Feb. 6. The vendor and cyber authorities last week warned that CVE-2026-21643 has been exploited in the wild. 

Researchers have yet to find any significant link between the vulnerabilities or attribute the attacks to known threat actors, but both defects were actively exploited in a short timeframe and both allow attackers to execute code remotely. 

“Fortinet solutions are popular targets for threat actors generally, so exploitation isn’t necessarily surprising,” said Caitlin Condon, vice president of security research at VulnCheck.

CISA has added 10 Fortinet defects to its known exploited vulnerabilities catalog since early 2025. 

While there is no full patch for CVE-2026-35616, Harris credited Fortinet for rushing out a hotfix over a holiday weekend, adding that it reflects how urgently the company is treating the matter. 

“The timing of the ramp-up of in-the-wild exploitation of this zero-day is likely not coincidental,” he said. “Attackers have shown repeatedly that holiday weekends are the best time to move. Security teams are at half strength, on-call engineers are distracted, and the window between compromise and detection stretches from hours to days. Easter, like any other holiday, represents opportunity.”

A Fortinet spokesperson said response and remediation efforts are ongoing and the company is communicating directly with customers to advise on necessary actions.

“The best time to apply the hotfix was yesterday,” Harris said. “The second-best time is right now.”

The post Fortinet customers confront actively exploited zero-day, with a full patch still pending appeared first on CyberScoop.

Cisco customers have confronted a flood of actively exploited vulnerabilities affecting the vendor’s network edge software since late February, and researchers say that five of the nine vulnerabilities Cisco disclosed in its firewalls and SD-WAN systems over the past three weeks have already been exploited in the wild. 

Attackers exploited a pair of these defects — zero-day vulnerabilities in Cisco SD-WANs — for at least three years before the vendor and authorities discovered and issued warnings about the threat. Cisco disclosed an additional five SD-WAN vulnerabilities that same day, and three of those defects have since been confirmed actively exploited as well.

Weaknesses lurking in Cisco security products don’t end there. Amazon Threat Intelligence on Wednesday said one of the two max-severity defects Cisco reported in its firewall management software earlier this month has been actively exploited by Interlock ransomware since Jan. 26, more than a month before those vulnerabilities were publicly disclosed.

Some organizations, officials and members of the security community at large have missed widening risks as more of the defects come under attack. The flurry of Cisco SD-WAN and firewall vulnerabilities includes defects with low CVSS ratings, zero-days and others that were determined actively exploited after disclosure.

“These are not random bugs in low-value software. These are management-plane and control-plane weaknesses in devices at the network edge, which often function as trust anchors in enterprise environments,” Douglas McKee, director of vulnerability intelligence at Rapid7, told CyberScoop.

“If you compromise SD-WAN or firewall management, you’re landing on policy, visibility, routing, segmentation, and, in many cases, administrative trust over a large swath of the environment,” he added. “Attackers know that and, when they find a pre-auth path into those systems, especially one that can be chained to root, that’s about as attractive as it gets.”

The full slate of recently disclosed Cisco vulnerabilities affecting these systems include:

• SD-WAN vulnerabilities: CVE-2026-20127, CVE-2022-20775, CVE-2026-20122, CVE-2026-20126, CVE-2026-20128, CVE-2026-20129 and CVE-2026-20133
• Cisco Secure Firewall Management Center software vulnerabilities: CVE-2026-20079 and CVE-2026-20131

Researchers from multiple firms and Cisco have observed or been notified of active exploitation of CVE-2026-20127, CVE-2022-20775, CVE-2026-20122, CVE-2026-20128 and CVE-2026-20131.

The Cybersecurity and Infrastructure Security Agency has only added two of the defects — CVE-2022-20775 and CVE-2026-20127 — to its known exploited vulnerabilities catalog thus far. The agency, which last week added new hunting and reporting requirements to an emergency directive it issued for the defects in late February, did not answer questions about the updated order or explain why other actively exploited Cisco vulnerabilities haven’t been added to the catalog. The agency has been operating under a funding shutdown since February.

Interlock ransomware hits Cisco firewalls

The ongoing ransomware campaign Amazon Threat Intelligence spotted involving CVE-2026-20131 confirmed “Interlock had a zero-day in their hands, giving them a week’s head start to compromise organizations before defenders even knew to look,” researchers said Wednesday.

Interlock’s observed attack path and operations are extensive, including post-compromise reconnaissance scripts, custom remote access trojans, a webshell and legitimate tool abuse. Amazon did not identify specific victims, and said the group threatens organizations with data encryption, regulatory fines and compliance valuations.

“Interlock has historically targeted specific sectors where operational disruption creates maximum pressure for payment,” Amazon Threat Intelligence researchers said in the blog post. These sectors include education, engineering, architecture, construction, manufacturing, industrial, health care and government entities. 

4 Cisco SD-WAN defects under attack

The swarm of vulnerabilities in Cisco SD-WANs poses additional risk for customers. Cisco Talos previously attributed long-running attacks involving CVE-2026-20127 and CVE-2022-20775 to UAT-8616, but it’s unclear if the same threat group is responsible for all of the Cisco SD-WAN exploits. 

“Other threat groups are likely to pick up public research in order to weaponize or adapt it opportunistically, so we may see follow-on attempts by additional threat actors, including low-skilled attackers,” Caitlin Condon, vice president of security research at VulnCheck, told CyberScoop.

Researchers said vulnerabilities are often disclosed in clusters after a meaningful defect is identified in a specific product, such as Cisco’s SD-WAN systems.

Cisco declined to answer questions and said customers can find the latest information on its security advisories page.

Condon and McKee both noted that Cisco has been responsive in releasing software fixes, threat-hunting intelligence and, in the case of the SD-WAN zero-days, coordinated government guidance. 

“This is what a good crisis response is supposed to look like once exploitation is identified,” McKee said. 

“The harder question is whether the industry is getting early-enough visibility into the defects in edge-management software that sophisticated actors are clearly prioritizing,” he added. “Are our organizations equipped with the right people and tools to perform this level of exposure management?”

The expanding exploits Cisco customers are combating on firewalls and SD-WANs is a reminder that organizations shouldn’t deprioritize less notorious vulnerabilities or those with lower CVSS scores, Condon said. 

“Several of the exploited vulnerabilities in this tranche of Cisco SD-WAN bugs don’t have critical CVSS scores, meaning teams using CVSS as a prioritization mechanism might miss medium- or high-scored flaws that still have real-world adversary utility,” she added.

The attacks also collectively reflect a persistent pattern of attackers targeting network edge systems from multiple vendors, including Cisco.

“Attackers continue to treat network edge and management infrastructure as prime real estate, and when defenders see pre-authentication, management-plane flaws with evidence of pre-disclosure exploitation, they need to assume compromise, not just exposure,” McKee said. 

“Attackers are investing time and capability into finding and operationalizing previously unknown defects in Cisco edge and management infrastructure because the payoff is enormous,” he added. “These platforms give you a privileged position, broad visibility, and a path to durable access inside high-value organizations. That’s exactly why they keep getting hit.”

The post Cisco’s latest vulnerability spree has a more troubling pattern underneath appeared first on CyberScoop.