Threat Intel · Updated Hourly
Live cybersecurity intel, straight from the sources crews trust.
Actively exploited vulnerabilities (CISA KEV), recently disclosed CVEs (NVD), and the cybersecurity newsroom — all in one place. We refresh on the hour so what you see is what's hitting the wire.
Updated 31 min ago
CISA Known Exploited Vulnerabilities
What's being actively exploited right now — VPN / Remote access
These aren't theoretical. Every CVE below is on CISA's KEV catalog — meaning U.S. federal civilian agencies are required to patch them, because attackers are actively using them in the wild.
CVE-2026-50751
Actively exploited
Check Point Security Gateway Improper Authentication Vulnerability
Check Point Security Gateway contains an improper authentication vulnerability in IKEv1 key exchange that could allow an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without a valid user password.
Read advisory at NVD →
CVE-2026-21643
Actively exploited
Fortinet FortiClient EMS SQL Injection Vulnerability
Fortinet FortiClient EMS contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
Read advisory at NVD →
CVE-2026-35616
Actively exploited
Fortinet FortiClient EMS Improper Access Control Vulnerability
Fortinet FortiClient EMS contains an improper access control vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.
Read advisory at NVD →
CVE-2026-3055
Actively exploited
Citrix NetScaler Out-of-Bounds Read Vulnerability
Citrix NetScaler ADC (formerly Citrix ADC), NetScaler Gateway (formerly Citrix Gateway) and NetScaler ADC FIPS and NDcPP contain an out-of-bounds reads vulnerability when configured as a SAML IDP leading to memory overread.
Read advisory at NVD →
CVE-2025-7775
Actively exploited
Citrix NetScaler Memory Overflow Vulnerability
Citrix NetScaler ADC and NetScaler Gateway contain a memory overflow vulnerability that could allow for remote code execution and/or denial of service.
Read advisory at NVD →
CVE-2025-5777
Actively exploited
Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability
Citrix NetScaler ADC and Gateway contain an out-of-bounds read vulnerability due to insufficient input validation. This vulnerability can lead to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.
Read advisory at NVD →
CVE-2025-6543
Actively exploited
Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability
Citrix NetScaler ADC and Gateway contain a buffer overflow vulnerability leading to unintended control flow and Denial of Service. NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.
Read advisory at NVD →
CVE-2023-44221
Actively exploited
SonicWall SMA100 Appliances OS Command Injection Vulnerability
SonicWall SMA100 appliances contain an OS command injection vulnerability in the SSL-VPN management interface that allows a remote, authenticated attacker with administrative privilege to inject arbitrary commands as a 'nobody' user.
Read advisory at NVD →
CVE-2025-22457
Actively exploited
Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
Ivanti Connect Secure, Policy Secure, and ZTA Gateways contains a stack-based buffer overflow vulnerability that allows a remote unauthenticated attacker to achieve remote code execution.
Read advisory at NVD →
CVE-2024-53704
Actively exploited
SonicWall SonicOS SSLVPN Improper Authentication Vulnerability
SonicWall SonicOS contains an improper authentication vulnerability in the SSLVPN authentication mechanism that allows a remote attacker to bypass authentication.
Read advisory at NVD →
CVE-2025-0282
Actively exploited
Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow which can lead to unauthenticated remote code execution.
Read advisory at NVD →
CVE-2023-28461
Actively exploited
Array Networks AG and vxAG ArrayOS Missing Authentication for Critical Function Vulnerability
Array Networks AG and vxAG ArrayOS contain a missing authentication for critical function vulnerability that allows an attacker to read local files and execute code on the SSL VPN gateway.
Read advisory at NVD →
See the full VPN / Remote access catalog (12 entries) →
Filtered to VPN / Remote access. Search, sort, and paginate the rest on the full catalog page.
Want crew who know what to do when one of these lands in their inbox? Start the free hour-long course →
NVD · Recent Disclosures
Recently disclosed CVEs (last 7 days)
Newly published vulnerabilities from the National Vulnerability Database, ranked by CVSS score. Critical-first so you see the worst at the top.
| CVE | CVSS | Severity | Published | Description |
|---|---|---|---|---|
| CVE-2026-44523 | 10 | CRITICAL | May 14, 2026 | Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWT_SECRET configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte. This vulnerability is fixed in 0.19.4. |
| CVE-2026-20182 | 10 | CRITICAL | May 14, 2026 | May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. The section of this advisory includes Show Control Connections guidance to help with system checks. A vulnera… |
| CVE-2026-26191 | 9.8 | CRITICAL | May 14, 2026 | Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet's software installer pipeline could allow a crafted software package to execute arbitrary commands as root (macOS/Linux) or SYSTEM (Windows) on managed endpoints when an uninstall is triggered. When a software package (.pkg, .deb, .rpm, .exe, or .msi) is uploa… |
| CVE-2026-41315 | 9.8 | CRITICAL | May 14, 2026 | mdserver-web is a simple Linux panel. From 0.18.0 to 0.18.4, mdserver-web has a front-end unauthorized remote command execution vulnerability. Due to the lack of authentication on the /modify_crond and /start_task interfaces, it is possible to modify the default built-in scheduled tasks and start them, achieving RCE. |
| CVE-2026-42589 | 9.8 | CRITICAL | May 14, 2026 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata object and passes its keys directly to ExifTool via the go-exiftool library. No validation is performed on key characters. A \n embedded in a JSON key splits the ExifTool stdin stream into a new argum… |
| CVE-2026-44484 | 9.8 | CRITICAL | May 14, 2026 | PyTorch Lightning is a deep learning framework to pretrain and finetune AI models. Versions 2.6.2 and 2.6.2 have introduced functionality consistent with a credential harvesting mechanism. |
| CVE-2026-8511 | 9.6 | CRITICAL | May 14, 2026 | Use after free in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) |
| CVE-2026-41615 | 9.6 | CRITICAL | May 14, 2026 | Exposure of sensitive information to an unauthorized actor in Microsoft Authenticator allows an unauthorized attacker to disclose information over a network. |
| CVE-2026-44482 | 9.6 | CRITICAL | May 14, 2026 | soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an HTML payload executed locally in the Electron app. This means attacker-controlled SoundCloud track metadata can lead to local command execution on the user's machine. The application exposes a preload API (win… |
| CVE-2026-44592 | 9.4 | CRITICAL | May 14, 2026 | Gradient is a nix-based continuous integration system. In 1.1.0, when GRADIENT_DISCOVERABLE=true (the default, and the NixOS module default), anyone who can reach /proto can register as a worker without any credentials by sending a fresh, never-registered worker UUID. The resulting session has PeerAuth::Open, i.e. it sees jobs from every organisation, and c… |
| CVE-2026-42596 | 9.4 | CRITICAL | May 14, 2026 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, the default deny-lists used by Gotenberg's downloadFrom feature and webhook feature are bypassable. Because the filter is regex-based and case-sensitive, an unauthenticated attacker can supply URLs such as http://[::ffff:127.0.0.1]:... and reach loopback or private HTTP services tha… |
| CVE-2026-44542 | 9.1 | CRITICAL | May 14, 2026 | FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences (e.g., ../) to escape the intended shared directory. As a result, an unauthenticated attacker possessing a valid public share hash with… |
| CVE-2026-42555 | 9.1 | CRITICAL | May 14, 2026 | Valtimo is an open-source business process automation platform. com.ritense.valtimo:document from 12.0.0 to before 12.32.0, com.ritense.valtimo:case from 13.0.0 to before 13.23.0, and com.ritense.valtimo:contract from 13.4.0 to before 13.23.0 evaluate Spring Expression Language (SpEL) expressions from user-supplied input using StandardEvaluationContext, whi… |
| CVE-2026-45375 | 9 | CRITICAL | May 14, 2026 | SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar (community marketplace) renders the name and version fields of a package's plugin.json (and the equivalent theme.json / template.json / widget.json / icon.json) into the Settings → Marketplace UI without HTML escaping. The kernel-side helper sanitizePackageDisplay… |
| CVE-2026-42457 | 9 | CRITICAL | May 14, 2026 | vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0, there is a Stored XSS attack vulnerability via the name field of a templateRef. This can lead to the execution of arbitrary external scripts within the platform's browser context. In the worst ca… |
| CVE-2026-8577 | 8.8 | HIGH | May 14, 2026 | Integer overflow in Fonts in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) |
| CVE-2026-8558 | 8.8 | HIGH | May 14, 2026 | Out of bounds write in Fonts in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8555 | 8.8 | HIGH | May 14, 2026 | Use after free in GTK in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8551 | 8.8 | HIGH | May 14, 2026 | Use after free in Downloads in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8549 | 8.8 | HIGH | May 14, 2026 | Use after free in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8544 | 8.8 | HIGH | May 14, 2026 | Use after free in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8540 | 8.8 | HIGH | May 14, 2026 | Type Confusion in V8 in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8532 | 8.8 | HIGH | May 14, 2026 | Integer overflow in XML in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8531 | 8.8 | HIGH | May 14, 2026 | Heap buffer overflow in WebML in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8529 | 8.8 | HIGH | May 14, 2026 | Heap buffer overflow in Codecs in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted video file. (Chromium security severity: High) |
Phishing emails carry these payloads. Train crew to spot the trigger →
From the Cybersecurity Newsroom
What's making cyber headlines
Hand-picked feeds from Krebs on Security, The Hacker News, BleepingComputer, and SANS ISC. Headlines link to the original source — full credit, no scraping.
BleepingComputer
Chinese hackers hijack auth flow, spy on isolated network for a decade
Chinese hackers took control of a target organization's authentication stack and maintained persistence for 10 years, with full visibility into the administrative activity. [...]
Jun 13, 2026
Read at source →
The Hacker News
Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication
Splunk has released security updates to address a critical security flaw in Splunk Enterprise that could be exploited to conduct unauthenticated file operations and even remote code execution. The vulnerability, tracked as CVE-2026-20253, is rated 9.8 on the CVSS scoring system.…
Jun 13, 2026
Read at source →
BleepingComputer
US Gov asks Anthropic to ban 'foreign national' access to Fable, Mythos
The US government has ordered Anthropic to block all foreign nationals from accessing Fable 5 and Mythos 5, forcing the company to suspend both models worldwide. Anthropic is complying but disputes the basis, calling the cited jailbreak narrow and the capability widely available…
Jun 13, 2026
Read at source →
The Hacker News
U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals
Anthropic said on Friday it will "abruptly disable" its most advanced artificial intelligence (AI) models, Claude Fable 5 and Mythos 5, for all users after the U.S. government ordered it to suspend access to the models for foreign nationals, whether inside or outside the U.S., c…
Jun 13, 2026
Read at source →
BleepingComputer
Maine disables data breach notification portal after fake disclosures
Maine has taken its public data breach reporting portal offline after fraudulent breach disclosures were published on the state's website, prompting a review of procedures to prevent abuse in the future. [...]
Jun 12, 2026
Read at source →
The Hacker News
Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit
Attackers took over more than 400 packages in the Arch User Repository (AUR) this week and rewrote their build scripts to install a credential stealer on any machine that built them. The malware is a Rust binary built to harvest developer secrets. When it lands with root, it can…
Jun 12, 2026
Read at source →
The Hacker News
Google Sues Chinese Smishing Network Accused of Using Gemini AI in Phishing
Google on Friday said it's pursuing legal action against a Chinese cybercrime network, accusing it of using its Gemini artificial intelligence (AI) agent to send phishing text messages targeting Americans. The network is said to be behind the development and management of a phis…
Jun 12, 2026
Read at source →
BleepingComputer
phpBB forum fixes auth bypass bug lurking for a decade
A 10-year-old authentication bypass vulnerability discovered in the phpBB forum software allows an attacker to log in as any user, including administrators. [...]
Jun 12, 2026
Read at source →
The Hacker News
China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade
Instead of hiding on the laptops and servers defenders watch most closely, a China-nexus group spent close to a decade hidden inside the Linux login system itself. Sygnia, which tracks the group as Velvet Ant, says it backdoored the PAM and OpenSSH components that decide who is…
Jun 12, 2026
Read at source →
BleepingComputer
Ukrainian national pleads guilty to role in Conti ransomware operation
A Ukrainian national extradited from Ireland to the United States last year has pleaded guilty to conspiracy charges tied to the Conti ransomware operation. [...]
Jun 12, 2026
Read at source →
SANS Internet Storm Center
ISC Stormcast For Friday, June 12th, 2026 https://isc.sans.edu/podcastdetail/9970, (Fri, Jun 12th)
Jun 12, 2026
Read at source →
SANS Internet Storm Center
ISC Stormcast For Thursday, June 11th, 2026 https://isc.sans.edu/podcastdetail/9968, (Thu, Jun 11th)
Jun 11, 2026
Read at source →
Headlines and snippets © their respective publishers; links go directly to the original sources.
IoT · The overlooked threat surface
IoT on yachts: what most owners miss
Yachts pack more network-connected gadgets than a small office — cameras, AV controllers, smart locks, sensors, infotainment. Most of it ships with weak defaults and never gets patched. Here are the three archetypes we keep seeing in incident reports.
01
Cameras · DVRs
The camera you forgot to patch
IP cameras (Hikvision, Dahua, Axis), smart doorbells, and baby monitors aboard frequently ship with hardcoded creds, open telnet, or unpatched RTSP stacks. One compromised camera = a foothold on the yacht LAN, often with privileged network access for "remote viewing."
Train crew on device hygiene →
02
AV · Control
Crestron, Lutron, Control4, Savant
AV/lighting/climate controllers expose web admin panels and REST APIs that historically ship with weak auth. They share the same LAN as crew laptops and bridge systems, so a compromise gets full lateral access. Patch cadence is usually "never" without a dedicated integrator.
Train crew on segmentation →
03
Guest gear
The "smart" bits guests bring aboard
Chromecasts, Sonos, AirPlay receivers, Bluetooth speakers, smart TVs. Every one is an unmanaged endpoint that broadcasts on the network and can bridge guest devices into the yacht's primary VLAN if segmentation is loose. They're also notorious for shipping with mDNS/UPnP scanning enabled.
Train crew on guest policy →
Why this matters at sea
Most of these attacks start with a person, not a firewall
Phishing, hostile marina Wi-Fi, guest data slip-ups — the techniques behind the headlines are the same ones that target crew inboxes every day. We turn the latest threats into 60 minutes of role-aware training crew actually finish.