Forum Widgets
Recent Discussions
CVE-2026-20127: Cisco Catalyst SD-WAN Controller/Manager Zero-Day Exploited in the Wild
On February 25, Cisco released a security advisory (cisco-sa-sdwan-rpa-EHchtZk) to address a maximum severity severity authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller, formerly known as SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly known as SD-WAN vManage. CVE Description CVSSv3 CVE-2026-20127 Cisco Catalyst SD-WAN Controller/Manager Authentication Bypass Vulnerability 10.0 CVE-2026-20127 is a critical severity authentication bypass vulnerability in Cisco’s Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager. A remote, unauthenticated attacker could exploit this vulnerability by sending crafted requests to an affected system, allowing them to log into an affected device as a high-privileged user. Using this access, the attacker could modify network configurations for the SD-WAN fabric. According to the advisory, this vulnerability has been exploited in the wild in limited attacks. The advisory further clarifies that this flaw affects vulnerable versions regardless of the device's configuration and no workaround steps are available, however temporary mitigation guidance is available in the security advisory. For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.Frequently Asked Questions About The August 2025 F5 Security Incident
Starting August 9 2025, F5 learned that a nation-state threat actor gained and maintained access to certain systems within their environment. This included access to F5’s BIG-IP product development systems and “engineering knowledge management platforms.” On October 15, F5 released knowledge base (KB) article K000154696 providing current details on the known impacts of the breach, including an acknowledgement that they have not observed further unauthorized activity and believe they have successfully contained the breach. In response, Tenable’s Research Special Operations (RSO) team has compiled a blog to answer Frequently Asked Questions (FAQ) regarding the security incident affecting F5. Alongside the disclosure of the security incident, F5 also released its October 2025 Quarterly Security Notification. While there is no notice in these security advisories that any of the CVEs released on October 15 have been exploited, we strongly recommend applying all available patches. For more information about the vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.Microsoft’s February 2026 Patch Tuesday Addresses 54 CVEs (CVE-2026-21510, CVE-2026-21513)
Microsoft’s February 2026 Patch Tuesday Addresses 54 CVEs (CVE-2026-21510, CVE-2026-21513) On February 10, Microsoft released its February 2026 Patch Tuesday release which patched 54 CVEs with two rated critical, 51 rated as important and one rated as moderate. This update included patches to address six zero-day vulnerabilities that were exploited in the wild including three of which were publicly disclosed prior to patches being made available. CVE-2026-21510 is a security feature bypass vulnerability affecting Windows Shell. It was assigned a CVSSv3 score of 8.8 and was rated as important. According to Microsoft, this flaw was publicly disclosed prior to a patch being made available and was also exploited in the wild as a zero-day. Exploitation requires an attacker to convince an unsuspecting user to open a malicious link or shortcut file. This would allow the attacker to bypass Windows SmartScreen and Windows Shell warnings by exploiting a flaw in Windows Shell components. CVE-2026-21533 is an elevation of privilege vulnerability affecting Windows Remote Desktop Services. It was assigned a CVSSv3 score of 7.8, rated as important and was reportedly exploited in the wild. Successful exploitation allows a local, authenticated attacker to elevate to SYSTEM privileges. This month’s update includes patches for: .NET .NET and Visual Studio Azure Arc Azure Compute Gallery Azure DevOps Server Azure Front Door (AFD) Azure Function Azure HDInsights Azure IoT SDK Azure Local Azure SDK Desktop Window Manager Github Copilot GitHub Copilot and Visual Studio Internet Explorer Mailslot File System Microsoft Defender for Linux Microsoft Edge for Android Microsoft Exchange Server Microsoft Graphics Component Microsoft Office Excel Microsoft Office Outlook Microsoft Office Word Power BI Role: Windows Hyper-V Windows Ancillary Function Driver for WinSock Windows App for Mac Windows Cluster Client Failover Windows Connected Devices Platform Service Windows GDI+ Windows HTTP.sys Windows Kernel Windows LDAP - Lightweight Directory Access Protocol Windows Notepad App Windows NTLM Windows Remote Access Connection Manager Windows Remote Desktop Windows Shell Windows Storage Windows Subsystem for Linux Windows Win32K - GRFX For more information, please visit our blog.Investigating: Cl0p Reportedly Breached Oracle E-Business Suite (EBS) Systems
Tenable's Research Special Operations (RSO) team is investigating reports of breaches connected to Oracle E-Business Suite (EBS) systems by the Cl0p extortion group. As of October 3, there have been no specific vulnerabilities (or CVEs) identified in connection with the attacks. However, Rob Duhart, Chief Security Officer at Oracle, published the following in a blog post: Oracle is aware that some Oracle E-Business Suite (EBS) customers have received extortion emails. Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 Critical Patch Update. Oracle reaffirms its strong recommendation that customers apply the latest Critical Patch Updates. In the July 2025 Critical Patch Update (CPU), there were 165 unique CVEs patched, including nine associated with Oracle EBS: CVE Product CVSSv3 CVE-2025-30743 Oracle Lease and Finance Management 8.1 CVE-2025-30744 Oracle Mobile Field Service 8.1 CVE-2025-50105 Oracle Universal Work Queue 8.1 CVE-2025-50071 Oracle Applications Framework 6.4 CVE-2025-30746 Oracle iStore 6.1 CVE-2025-30745 Oracle MES for Process Manufacturing 6.1 CVE-2025-50107 Oracle Universal Work Queue 6.1 CVE-2025-30739 Oracle CRM Technical Foundation 5.5 CVE-2025-50090 Oracle Applications Framework 5.4 Cl0p has historically been linked to the exploitation of zero-day vulnerabilities including in managed file transfer platforms, such as Cleo, MOVEit, GoAnywhere and Accellion. If and when more definitive information becomes available, we will update this post and or publish more details on the Tenable Blog.FAQ on Copy Fail Linux Kernel Privilege Escalation (CVE-2026-31431)
On April 29, researchers at Theori publicly disclosed CVE-2026-31431, a local privilege escalation vulnerability in the Linux kernel's cryptographic subsystem dubbed "Copy Fail." The flaw has been present in every major Linux distribution since 2017. A public proof-of-concept exploit is available and reported to work reliably, drawing comparisons to Dirty Cow and Dirty Pipe. CVE Description CVSSv3 CVE-2026-31431 Linux Kernel Local Privilege Escalation Vulnerability 7.8 Patched kernel versions are available, though some major distributions have not yet shipped updates. For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.Cyber Retaliation: Analyzing Iranian Cyber Activity Following Operation Epic Fury
In the wake of Operation Epic Fury, digital attacks have shifted from quiet espionage to a loud, coordinated campaign of economic and physical retaliation. In response, the Tenable Research Special Operations (RSO) team is examining the latest threats and cyber operations linked to Iranian threat actors. Recently Ministry of Intelligence and Security (MOIS) affiliated groups have significantly escalated their operations, shifting from espionage to disruptive and destructive campaigns. MuddyWater and the Void Manticore persona known as Handala are two groups which have seen an increased level of malicious activity surrounding the recent military operations in Iran. For more information about this threat activity, including the availability of patches for the CVEs covered in our analysis as well as Tenable product coverage, please visit our blog.
Zero Click Zero Day in Microsoft Support Diagnostic Tool...
Zero Click Zero Day in Microsoft Support Diagnostic Tool Exploited in the Wild (CVE-2022-30190) On May 30, Microsoft released an advisory for a zero-day in the Microsoft Windows Support Diagnostic Tool (MSDT) that has been exploited in the wild and gained considerable researcher attention over the weekend. CVE-2022-30190 is a remote code execution vulnerability in MSDT that impacts several versions of Microsoft Office, including patched versions of Office 2019 and 2021. An attacker would craft a malicious document, Microsoft Word is common, and send it to their target via email. By exploiting this vulnerability, an attacker can execute commands with the permissions of the application used to open the malicious document. Researchers have found that this vulnerability can be exploited without user interaction. Microsoft has published a workaround and detection information, but no patches as of May 31. For more information, please visit our blog post.Microsoft’s March 2026 Patch Tuesday Addresses 83 CVEs
Microsoft’s March 2026 Patch Tuesday Addresses 83 CVEs (CVE-2026-21262, CVE-2026-26127) On March 10, Microsoft released its March 2026 Patch Tuesday release which patched 83 CVEs with eight rated as critical and 75 rated as important, including two vulnerabilities that were publicly disclosed prior to a patch being released. CVE-2026-21262 is an elevation of privilege (EoP) vulnerability affecting Microsoft SQL Server. It received a CVSSv3 score of 8.8 and was rated as important. CVE-2026-21262 was publicly disclosed as a zero-day. While no exploitation has been reported by Microsoft, a successful exploit of this flaw would result in an attacker gaining SQL sysadmin privileges. In addition, two more CVEs were issued for EoP flaws in Microsoft SQL Server, CVE-2026-26115 and CVE-2026-26116. CVE-2026-26127 is a denial of service (DoS) vulnerability affecting .NET 9.0 and 10.0 on Windows, Mac OS and Linux. It received a CVSSv3 score of 7.5 and was rated as important. According to Microsoft, this vulnerability was publicly disclosed prior to patches being made available. Although it was publicly disclosed, Microsoft assesses that exploitation is unlikely for this DoS vulnerability. This month’s update includes patches for: .NET ASP.NET Core Active Directory Domain Services Azure Arc Azure Compute Gallery Azure Entra ID Azure IoT Explorer Azure Linux Virtual Machines Azure MCP Server Azure Portal Windows Admin Center Azure Windows Virtual Machine Agent Broadcast DVR Connected Devices Platform Service (Cdpsvc) Microsoft Authenticator Microsoft Brokering File System Microsoft Devices Pricing Program Microsoft Graphics Component Microsoft Office Microsoft Office Excel Microsoft Office SharePoint Payment Orchestrator Service Push Message Routing Service Role: Windows Hyper-V SQL Server System Center Operations Manager Windows Accessibility Infrastructure (ATBroker.exe) Windows Ancillary Function Driver for WinSock Windows App Installer Windows Authentication Methods Windows Bluetooth RFCOM Protocol Driver Windows DWM Core Library Windows Device Association Service Windows Extensible File Allocation Windows File Server Windows GDI Windows GDI+ Windows Kerberos Windows Kernel Windows MapUrlToZone Windows Mobile Broadband Windows NTFS Windows Performance Counters Windows Print Spooler Components Windows Projected File System Windows Resilient File System (ReFS) Windows Routing and Remote Access Service (RRAS) Windows SMB Server Windows Shell Link Processing Windows System Image Manager Windows Telephony Service Windows Universal Disk Format File System Driver (UDFS) Windows Win32K Winlogon For more information, please visit our blog.React2Shell: FAQ about React Server Components Vulnerability (CVE-2025-55182)
On December 3, the React Team published a blog post regarding a critical, maximum severity (CVSS 10) vulnerability affecting React Server Components. CVE Description CVSSv3 CVE-2025-55182 React Server Components Remote Code Execution Vulnerability 10.0 The flaw, which is an unsafe deserialization vulnerability, has been named “React2Shell” by researchers, a nod to the Log4Shell vulnerability. Additionally, the Next.js team published its own security advisory for CVE-2025-66478, a separate CVE to track the impact of CVE-2025-55182. However, the National Vulnerability Database (NVD) rejected it as a duplicate. For more information about React2Shell, including the availability of patches and Tenable product coverage, please visit our blog.Ivanti Endpoint Manager Mobile Zero-Days Exploited (CVE-2026-1281, CVE-2026-1340)
On January 29, Ivanti published an advisory for two zero-day vulnerabilities in Endpoint Manager Mobile (EPMM), formerly MobileIron Core: CVE Description CVSSv3 CVE-2026-1281 Ivanti Endpoint Manager Mobile Remote Code Execution Vulnerability 9.8 CVE-2026-1340 Ivanti Endpoint Manager Mobile Remote Code Execution Vulnerability 9.8 According to Ivanti, both vulnerabilities were exploited in the wild affecting “a very limited number of customers.” Due to its ongoing investigation, Ivanti did not include any indicators of compromise. Ivanti products are popular targets for attackers, and over the last several years, there have been multiple EPMM vulnerabilities exploited in the wild. For more information about these vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.
