The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Ivanti Endpoint Manager Mobile (EPMM) to its Known Exploited Vulnerabilities catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in the Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE-2026-6973 (CVSS score of 7.1), to its Known Exploited Vulnerabilities (KEV) catalog.

Ivanti warns customers of a high‑severity zero‑day vulnerability, tracked as CVE‑2026‑6973, in Endpoint Manager Mobile that is already being exploited.

“At the time of disclosure, we are aware of very limited exploitation of CVE-2026-6973, which requires admin authentication for successful exploitation.” reads the advisory. “We are not aware of any customers being exploited by the other vulnerabilities disclosed today.”

The flaw, caused by improper input validation, allows attackers with admin privileges to execute arbitrary code on systems running EPMM 12.8.0.0 and earlier. Customers are urged to patch immediately to prevent compromise.

Ivanti EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1 address the vulnerability. The vulnerability doesn’t affect Ivanti Neurons for MDM, Ivanti’s cloud-based unified endpoint management solution, Ivanti EPM (a similarly named, but different product), Ivanti Sentry, or any other Ivanti products.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerability by May 10, 2026.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)

CISA warns that the nine-year-old Linux Copy Fail flaw is being actively exploited, allowing local attackers to gain root access on affected systems.

The post CISA Warning: High-Severity Linux Flaw Puts Unpatched Systems at Risk appeared first on TechRepublic.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Palo Alto Networks PAN-OS to its Known Exploited Vulnerabilities catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in the Palo Alto Networks PAN-OS, tracked as CVE-2026-0300 (CVSS score of 9.3), to its Known Exploited Vulnerabilities (KEV) catalog.

The flaw is a buffer overflow that allows unauthenticated remote code execution, especially when the User-ID portal is exposed to the internet.

“A buffer overflow vulnerability in the User-ID Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.” reads the advisory published by Palo Alto Networks. “The risk of this issue is greatly reduced if you secure access to the User-ID Authentication Portal per the best practice guidelines by restricting access to only trusted internal IP addresses.”

This week, Palo Alto Networks has warned that the critical PAN-OS vulnerability CVE-2026-0300 is actively exploited in the wild.

Below is the list of impacted products:

Versions	Affected	Unaffected
Cloud NGFW	None	All
PAN-OS 12.1	< 12.1.4-h5 < 12.1.7	>= 12.1.4-h5 (ETA: 05/13) >= 12.1.7 (ETA: 05/28)
PAN-OS 11.2	< 11.2.4-h17 < 11.2.7-h13 < 11.2.10-h6 < 11.2.12	>= 11.2.4-h17 (ETA: 05/28) >= 11.2.7-h13 (ETA: 05/13) >= 11.2.10-h6 (ETA: 05/13) >= 11.2.12 (ETA: 05/28)
PAN-OS 11.1	< 11.1.4-h33 < 11.1.6-h32 < 11.1.7-h6 < 11.1.10-h25 < 11.1.13-h5 < 11.1.15	>= 11.1.4-h33 (ETA: 05/13) >= 11.1.6-h32 (ETA: 05/13) >= 11.1.7-h6 (ETA: 05/28) >= 11.1.10-h25 (ETA: 05/13) >= 11.1.13-h5 (ETA: 05/13) >= 11.1.15 (ETA: 05/28)
PAN-OS 10.2	< 10.2.7-h34 < 10.2.10-h36 < 10.2.13-h21 < 10.2.16-h7 < 10.2.18-h6	>= 10.2.7-h34 (ETA: 05/28) >= 10.2.10-h36 (ETA: 05/13) >= 10.2.13-h21 (ETA: 05/28) >= 10.2.16-h7 (ETA: 05/28) >= 10.2.18-h6 (ETA: 05/13)
Prisma Access	None	All

The cybersecurity vendor states that the issue doesn’t impact Prisma Access, Cloud NGFW and Panorama appliances.

Palo Alto Networks says the flaw is being exploited in a limited way, mainly against systems where the User-ID Authentication Portal is exposed to the public internet.

The flaw remains unpatched, with fixes expected from May 13, 2026. It affects PA-Series and VM-Series firewalls using the User-ID Authentication Portal. Palo Alto Networks notes risk is much lower for organizations that follow best practices, like limiting access to trusted internal networks only.

“Limited exploitation has been observed targeting Palo Alto Networks User-ID Authentication Portals that are exposed to untrusted IP addresses and/or the public internet.” concludes the advisory. “Customers following standard security best practices, such as restricting sensitive portals to trusted internal networks are at a greatly reduced risk.”

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerability by May 9, 2026.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Linux Kernel to its Known Exploited Vulnerabilities catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in the Linux Kernel, tracked as CVE-2026-31431 (CVSS score of 7.8), to its Known Exploited Vulnerabilities (KEV) catalog.

Recently, Xint Code researchers warned of a serious Linux flaw, tracked as CVE-2026-31431, dubbed Copy Fail. It lets any local, unprivileged user write four controlled bytes into the page cache of any readable file, enabling escalation to root on major distributions.

The bug combines AF_ALG and splice() to write 4 bytes into the page cache of any readable file. A 732-byte script can modify a setuid binary in memory, without changing the file on disk, making detection difficult. The issue affects major distributions like Ubuntu, RHEL, SUSE, and Amazon Linux, and can even cross container boundaries due to shared page cache.

“Copy Fail (CVE-2026-31431) is a logic bug in the Linux kernel’s authencesn cryptographic template. It lets an unprivileged local user trigger a deterministic, controlled 4-byte write into the page cache of any readable file on the system.” reads the report published by Xint Code. “A single 732-byte Python script can edit a setuid binary and obtain root on essentially all Linux distributions shipped since 2017.“

Copy Fail exploits a kernel logic flaw where corrupted page‑cache data is never marked dirty, leaving disk files unchanged while the in‑memory version is silently altered. Because the page cache is what processes read, an unprivileged user can corrupt a setuid binary’s cached page and gain root. The shared cache also lets the attack cross container boundaries. The bug, surfaced through AI‑assisted analysis of crypto‑subsystem behavior, is portable, tiny, race‑free, and stealthy, unlike Dirty Cow or Dirty Pipe. It works across major distros and architectures and forms the basis for both local privilege escalation and Kubernetes container escapes.

The bug starts in AF_ALG, which lets any user access the kernel crypto subsystem without privileges. Attackers use splice() to map file page cache pages directly into a crypto scatterlist, so operations act on real file-backed memory. During AEAD decryption, the kernel sets the operation in-place, mixing user buffers with page cache pages in one writable structure.

The authencesn algorithm breaks expectations: it uses the output buffer as scratch space and writes 4 bytes past the allowed boundary. In this setup, that write lands directly in the page cache of a chosen file. Attackers control the file, offset, and value, enabling precise memory corruption and privilege escalation.

This flaw emerged from combined changes over years, authencesn design, AF_ALG support, and a 2017 in-place optimization, creating a long-hidden but critical vulnerability.

The exploit targets /usr/bin/su, a common setuid-root binary on Linux systems.

• First, the attacker opens an AF_ALG socket and binds it to the vulnerable authencesn AEAD mode. No privileges are required. The attacker sets a cryptographic key and creates a request socket.
• Next, the attacker prepares each 4-byte write. The AAD carries the exact 4-byte value to inject, while splice() maps page cache pages from the target file into the crypto operation. Carefully chosen parameters force the kernel to treat a specific offset inside /usr/bin/su as writable memory.
• Then the attacker triggers recv(), which runs the decrypt operation. The kernel reads AAD data, performs the authencesn scratch write, and copies 4 bytes into the page cache of the target binary. The HMAC fails, but the corrupted memory remains. The process repeats until enough shellcode is injected into the cached binary.
• Finally, the attacker runs execve("/usr/bin/su"). The kernel loads the modified version from the page cache instead of disk. Since su runs with setuid-root privileges, the injected code executes as root, giving full system control.

The researchers published a demo showing the same 732-byte exploit run on four Linux distributions, where a normal user (uid 1001) consistently gains root access. Tested systems include Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16, covering kernel versions 6.12 to 6.18, all successfully compromised.

“If your kernel was built between 2017 and the patch — which covers essentially every mainstream Linux distribution — you’re in scope.” the researchers wrote. “Copy Fail requires only an unprivileged local user account — no network access, no kernel debugging features, no pre-installed primitives. The kernel crypto API (AF_ALG) ships enabled in essentially every mainstream distro’s default config, so the entire 2017 → patch window is in play out of the box.”

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerability by May 15, 2026.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in WebPros cPanel to its Known Exploited Vulnerabilities catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in Microsoft Defender, tracked as CVE-2026-41940 (CVSS score of 9.3), to its Known Exploited Vulnerabilities (KEV) catalog.

cPanel is a widely used web hosting control panel that lets users manage websites and servers through a graphical interface instead of command-line tools.

Cybersecurity experts at watchTowr first disclosed the flaw earlier this week and released a tool to help defenders identify vulnerable hosts in their estates.

“As we stated above, in-the-wild exploitation has already begun, according to KnownHost.” reads the advisory by watchTowr. “Therefore, we’re releasing our Detection Artifact Generator to enable defenders to identify vulnerable hosts in their estates.”

CVE-2026-41940 is an authentication bypass flaw affecting cPanel and WHM versions after 11.40. A weakness in the login flow allows remote attackers to skip or manipulate authentication checks, granting access to the control panel without valid credentials. This could let attackers manage hosting settings, access sensitive data, or take control of the server.

According to the Shadowserver Foundation, thousands of instances may be exposed.

Attention! cPanel/WHM CVE-2026-41940 attacks ongoing, with at least 44K IPs likely compromised & seen scanning our honeypots on 2026-04-30. Follow latest guidance to track for compromise & patch: https://t.co/z4sRvdaBwt

See Public Dashboard for stats: https://t.co/qFz265JDIK pic.twitter.com/m1aZvFEVlU

— The Shadowserver Foundation (@Shadowserver) May 1, 2026

44K unique IP number is based on cPanel spike of devices seen scanning/running exploits/brute force attacks against our honeypot sensors.https://t.co/SINYf136HI pic.twitter.com/sPEp41IVoa

— The Shadowserver Foundation (@Shadowserver) May 1, 2026

cPanel and watchTowr released tools to detect compromise and vulnerable hosts. Exploits date back to February. Namecheap warned customers of temporary access limits to mitigate risk.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerability by May 3, 2026.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)

What happened Congress approved a 45-day extension of Section 702 of the Foreign Intelligence Surveillance Act on Thursday, hours before the program was set to lapse, pushing the next deadline to June 12. President Trump is expected to sign the legislation before the midnight deadline. The path to the extension was complicated. The day prior, […]

The post Congress Punts FISA Section 702 Renewal to June appeared first on CISO Whisperer.

The post Congress Punts FISA Section 702 Renewal to June appeared first on Security Boulevard.

The post CISA Sounds the Alarm: State-Sponsored Hackers Weaponize New Windows and ScreenConnect Flaws appeared first on Daily CyberSecurity.

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Windows Shell and ConnectWise ScreenConnect flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Windows Shell and ConnectWise ScreenConnect flaws to its Known Exploited Vulnerabilities (KEV) catalog.

Below are the flaws added to the catalog:

• CVE-2024-1708 (CVSS score of 8.4) ConnectWise ScreenConnect Path Traversal Vulnerability
• CVE-2026-32202 (CVSS score of 4.3) Microsoft Windows Protection Mechanism Failure Vulnerability

CVE-2024-02-21 is a path traversal vulnerability affecting ConnectWise ScreenConnect versions 23.9.7 and earlier. The issue stems from improper restriction of file paths, allowing attackers to access files and directories outside the intended scope.

By exploiting this flaw, an attacker could manipulate file paths to reach sensitive areas of the system. In certain scenarios, this may lead to remote code execution or unauthorized access to confidential data and critical resources, posing a serious risk to affected environments.

The second flaw added to the catalog is a Windows Shell Spoofing vulnerability tracked as CVE-2026-32202. The flaw allows attackers to spoof content over a network due to a failure in built-in protection mechanisms.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerabilities by May 12, 2026.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds SimpleHelp, Samsung, and D-Link flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added SimpleHelp, Samsung, and D-Link flaws to its Known Exploited Vulnerabilities (KEV) catalog.

Below are the flaws added to the catalog:

• CVE-2024-7399 Samsung MagicINFO 9 Server Path Traversal Vulnerability
• CVE-2024-57726 SimpleHelp Missing Authorization Vulnerability
• CVE-2024-57728 SimpleHelp Path Traversal Vulnerability
• CVE-2025-29635 D-Link DIR-823X Command Injection Vulnerability 

The vulnerability CVE-2024-7399 (CVSS score of 8.8) is an improper limitation of a pathname to a restricted directory issue in Samsung MagicINFO 9 Server version before 21.1050. An attacker can exploit the flaw to write arbitrary file as system authority.

In May 2025, Arctic Wolf researchers observed threat actors exploiting this vulnerability (CVSS score: 8.8) in the Samsung MagicINFO content management system (CMS) just days after proof-of-concept (PoC) exploit code was publicly released.

CVE-2024-7399 is a flaw in Samsung MagicINFO 9 Server’s input validation, it allows unauthenticated attackers to upload JSP files and execute code with system-level access.

Samsung first disclosed the flaw in August 2024, and at the time, there were no signs of it being exploited. However, just days after a proof-of-concept (PoC) was published on April 30, 2025, threat actors began taking advantage of it. Given how easy it is to exploit, and the public availability of the PoC, experts believe that the attacks are likely to continue.

Samsung addressed the vulnerability with the release of MagicINFO 9 Server version 21.1050 in August 2024.

The second vulnerability, tracked as CVE-2025-29635, allows attackers to inject commands because an attacker-controlled value is copied without proper validation.

This week, Akamai researchers reported that a Mirai botnet is targeting CVE-2025-29635 via crafted POST requests after public PoC disclosure.

The remaining two flaws added to the catalog are:

• CVE-2024-57726 (CVSS 9.9) – An authorization flaw in SimpleHelp lets low-privileged technicians generate API keys with elevated rights, enabling escalation to full server admin access.
• CVE-2024-57728 (CVSS 7.2) – A path traversal issue (zip slip) allows admin users to upload crafted ZIP files that place arbitrary files on the system, potentially leading to remote code execution as the SimpleHelp server user.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerabilities by May 8, 2026.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

The post The Great Linux Purge: Why the Kernel is Dumping 27,000 Lines of Code to Stop the AI Vulnerability Deluge appeared first on Daily CyberSecurity.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Microsoft Defender to its Known Exploited Vulnerabilities catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in Microsoft Defender, tracked as CVE-2026-33825 (CVSS score of 7.8), to its Known Exploited Vulnerabilities (KEV) catalog.

CVE-2026-33825 is a Microsoft Defender flaw that can be exploited to achieve privilege escalation. Microsoft fixed it with the release of Patch Tuesday security updates for April 2026.

Last week, Huntress researchers reported that attackers are exploiting three recently disclosed zero-day flaws in Microsoft Defender to gain higher privileges on compromised systems, including CVE-2026-33825 (aka BlueHammer). The vulnerabilities, called BlueHammer, RedSun, and UnDefend, were revealed by a researcher known as Chaotic Eclipse after criticizing Microsoft’s handling of the disclosure.

Chaotic Eclipse also published proof-of-concept code for the unpatched Windows bug.

BlueHammer and RedSun let attackers escalate privileges locally in Microsoft Defender. UnDefend instead triggers a denial-of-service, blocking security definition updates and weakening protection.

At this time, Microsoft has only fixed the flawok CVE-2026-33825, but the others remain unpatched.

Huntress researchers reported attackers are exploiting the three Windows flaws to target systems, though the victims and attackers remain unknown.

Huntress said it saw real-world exploitation of all three flaws. Attackers used BlueHammer starting April 10, 2026, then followed with RedSun and UnDefend proof-of-concept exploits on April 16.

Researchers believe attackers are using public exploit code released online by Chaotic Eclipse. Huntress said attackers started exploiting BlueHammer on April 10, 2026, then followed with RedSun and UnDefend proof-of-concept exploits on April 16.

The Huntress SOC is observing the use of Nightmare-Eclipse's BlueHammer, RedSun, and UnDefend exploitation techniques.

Investigation by: @wbmmfq, @Curity4201, + @_JohnHammond pic.twitter.com/ZFRI2XAYIA

— Huntress (@HuntressLabs) April 16, 2026

When exploit code becomes publicly available, threat actors can quickly weaponize it in attacks in the wild.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerability by May 6, 2026.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)

The European Union Agency for Cybersecurity (ENISA) has released the updated version of the National Capabilities Assessment Framework (NCAF 2.0), providing EU Member States with a structured, adaptable methodology to evaluate and enhance their national cybersecurity capabilities. This revised framework is designed to support national authorities in assessing the maturity of their National Cybersecurity Strategies (NCSSs), ultimately strengthening the EU's collective cybersecurity posture.  The National Capabilities Assessment Framework (NCAF) 2.0 offers EU Member States a comprehensive tool for evaluating their cybersecurity preparedness and progress. Through this framework, countries can assess the maturity of their National Cybersecurity Strategies (NCSSs), identify strengths and weaknesses, and make targeted improvements. NCAF 2.0 is built around a flexible, evidence-based approach that provides valuable insights into both strategic and operational cybersecurity initiatives. 

How is NCAF 2.0 Different?

NCAF 2.0 is a refined maturity model that helps countries assess their cybersecurity efforts across various stages of development. This model evaluates both the process and outcomes of national cybersecurity strategies, offering Member States an ongoing opportunity to track progress and align with EU cybersecurity standards.  NCAF 2.0 builds upon the success of its predecessor by introducing several key updates aimed at strengthening the cybersecurity capabilities of EU Member States. These updates include: 

• New descriptions of maturity levels reflect the dynamic nature of cybersecurity challenges, enabling more accurate assessments of national capabilities.  
• The framework includes updated goals that address emerging cybersecurity threats and align with evolving EU policies, such as the NIS2 Directive, which came into force in January 2023.  
• A set of comprehensive questions designed to assess the maturity of various cybersecurity areas, including governance, risk management, and incident response.  

NCAF 2.0 is crucial in supporting the EU’s broader cybersecurity agenda, especially in helping Member States comply with regulatory frameworks such as the NIS2 Directive. This directive requires countries to establish robust NCSSs, setting clear goals for addressing current and future cybersecurity risks. 

Who Can Benefit from NCAF 2.0? 

The primary beneficiaries of NCAF 2.0 are policymakers, cybersecurity experts, and government officials responsible for shaping and implementing NCSSs. The framework offers a valuable self-assessment tool for evaluating a country’s progress and improving national cybersecurity strategies.   By providing a structured methodology for assessing cybersecurity efforts, NCAF 2.0 enables national authorities to make data-driven decisions that enhance their overall security posture.  Additionally, the framework promotes mutual learning and best practice sharing among EU Member States, fostering collaboration on key cybersecurity issues. By aligning national strategies with EU-wide cybersecurity goals, NCAF 2.0 contributes to strengthening the EU’s collective defense against cyber threats. 

The EU Cybersecurity Landscape 

The release of NCAF 2.0 marks a significant step forward in enhancing EU cybersecurity. For over a decade, ENISA has supported EU Member States in developing and refining their national cybersecurity strategies. NCAF 2.0 builds this legacy, offering an updated tool for assessing progress and adapting to emerging threats.  As the EU cybersecurity landscape evolves, NCAF 2.0 ensures that national cybersecurity strategies remain relevant and effective. By continuously updating the framework in response to new developments in technology and legislation, ENISA helps Member States stay ahead of cyber threats and maintain a good defense against modern cyber risks.

Challenges in Assessing National Cybersecurity Strategies 

Developing and evaluating effective National Cybersecurity Strategies (NCSSs) is a complex task that presents numerous challenges for EU Member States. Some of the most common difficulties include: 

• Coordination Across Stakeholders: Ensuring effective collaboration between government agencies, businesses, and cybersecurity experts can be difficult, especially in countries with fragmented governance structures.  
• Adapting to Evolving Threats: As cyber threats continue to evolve, national strategies must be flexible and adaptive. Member States must continuously update their plans to address emerging risks.  
• Measuring Effectiveness: It is not enough to track the implementation of cybersecurity measures; it is also important to assess the long-term impact and success of these efforts. This requires a comprehensive evaluation of outcomes, not just outputs.  

NCAF 2.0 helps address these challenges by providing a clear, structured framework for evaluating cybersecurity capabilities. The maturity model allows countries to track progress over time, identify gaps, and ensure their strategies are evolving to meet new challenges. 

The Benefits of Using NCAF 2.0 

NCAF 2.0 offers several advantages for EU Member States: 

1. Self-Assessment and Continuous Improvement: The framework provides a voluntary tool for Member States to evaluate their cybersecurity maturity and track progress over time. By identifying gaps and areas for improvement, countries can strengthen their cybersecurity capabilities.  
2. Alignment with EU Regulations: NCAF 2.0 is aligned with key EU legislation, including the NIS2 Directive and the Cyber Resilience Act. This ensures that national strategies comply with EU-wide cybersecurity standards.  
3. Support for Peer Reviews: NCAF 2.0 can be used as part of the voluntary peer review process established under NIS2. This allows Member States to collaborate, share best practices, and enhance their collective cybersecurity efforts.  

Through these benefits, NCAF 2.0 plays a crucial role in strengthening the cybersecurity posture of EU Member States and enhancing their resilience to cyber threats. 

Maturity Levels in NCAF 

The maturity model in NCAF 2.0 is structured around five levels, each representing a stage of development in national cybersecurity capabilities: 

• Level 1: Foundation: Countries at this level have begun their cybersecurity journey but lack a comprehensive, coordinated approach.  
• Level 2: Developing: At this stage, national strategies are in place, but implementation is still in the early stages.  
• Level 3: Established: Member States at this level have a well-established cybersecurity framework with clear governance structures and resource allocation. 
• Level 4: Mature: A mature cybersecurity strategy is aligned across all sectors, with ongoing evaluations and adjustments based on performance data.  
• Level 5: Advanced: Countries at this level demonstrate an adaptive, forward-looking cybersecurity strategy that is responsive to emerging threats and technological advancements.  

While reaching Level 5 may be an idealized goal for many countries, the model provides a clear roadmap for progress, helping Member States identify where they currently stand and where they should aim to be. 

The post CISA Warns of Active Exploitation in Cisco, PaperCut, and Zimbra appeared first on Daily CyberSecurity.

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Cisco Catalyst, Kentico Xperience, PaperCut NG/MF, Synacor ZCS, Quest KACE SMA, and JetBrains TeamCity flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Cisco Catalyst, Kentico Xperience, PaperCut NG/MF, Synacor ZCS, Quest KACE SMA, and JetBrains TeamCity flaws to its Known Exploited Vulnerabilities (KEV) catalog.

Below are the flaws added to the catalog:

• CVE-2026-20133 Cisco Catalyst SD-WAN Manager Exposure of Sensitive Information to an Unauthorized Actor Vulnerability
• CVE-2023-27351 PaperCut NG/MF Improper Authentication Vulnerability
• CVE-2024-27199 JetBrains TeamCity Relative Path Traversal Vulnerability
• CVE-2025-2749 Kentico Xperience Path Traversal Vulnerability
• CVE-2025-32975 Quest KACE Systems Management Appliance (SMA) Improper Authentication Vulnerability
• CVE-2025-48700 Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability
• CVE-2026-20122 Cisco Catalyst SD-WAN Manager Incorrect Use of Privileged APIs Vulnerability
• CVE-2026-20128 Cisco Catalyst SD-WAN Manager Storing Passwords in a Recoverable Format Vulnerability

Several of the listed vulnerabilities are not just theoretical weaknesses but have been actively exploited in real-world attacks, often becoming entry points for ransomware operators and state-linked actors.

The CVE-2023-27351 flaw in PaperCut NG/MF is a clear example. It was widely abused in 2023 by ransomware groups such as the Clop ransomware group and LockBit, which leveraged the improper authentication issue to gain unauthenticated access to servers, deploy payloads, and move laterally within networks.

Similarly, CVE-2024-27199 affecting JetBrains TeamCity was rapidly weaponized after disclosure. Threat actors exploited the path traversal flaw to access sensitive configuration files, extract credentials, and in some cases deploy backdoors on build servers, critical assets in software supply chains.

The CVE-2025-32975 in Quest KACE Systems Management Appliance has also been observed in opportunistic attacks, where attackers bypass authentication to gain administrative access, enabling device management abuse and potential malware deployment across managed endpoints.

On the email front, CVE-2025-48700 impacting Zimbra Collaboration Suite has been linked to exploitation campaigns delivering malicious scripts via cross-site scripting, often used to hijack sessions or steal credentials in targeted attacks.

For the more recent Cisco issues, CVE-2026-20133, CVE-2026-20122, and CVE-2026-20128 affecting Cisco Catalyst SD-WAN Manager, public reporting so far indicates a high risk of exploitation, especially given the platform’s role in managing enterprise networks. While large-scale campaigns have not been as widely documented yet, similar Cisco management-plane flaws have historically been quickly adopted by threat actors once proof-of-concept exploits emerge.

Finally, CVE-2025-2749 in Kentico Xperience represents a classic path traversal issue. Although public evidence of widespread exploitation is still limited, such flaws are routinely abused in web attacks to access sensitive files, and they tend to be incorporated into automated scanning and exploitation frameworks shortly after disclosure.

Overall, the pattern is consistent: vulnerabilities enabling unauthenticated access, path traversal, or credential exposure are quickly operationalized. Attackers exploit them for initial access, privilege escalation, and persistence, often within days of public disclosure, highlighting the need for rapid patching and continuous monitoring.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerabilities by May 4, 2026, except Cisco Catalyst and Synacor Zimbra Collaboration Suite (ZCS) flaws, which must be addressed by April 23, 2026.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

The Cybersecurity and Infrastructure Security Agency (CISA) have expanded its Known Exploited Vulnerabilities, commonly referred to as the KEV catalog, with eight newly identified security flaws that are currently being exploited in real-world attacks. The update was announced on April 21, 2026.  CISA’s latest update to the KEV catalog introduces eight vulnerabilities spanning a range of products and vendors. Among the most notable inclusions are CVE-2023-27351 and CVE-2024-27199, both of which have drawn attention due to their active exploitation and potential impact on enterprise environments. 

Latest Vulnerabilities Added to the KEV Catalog 

• CVE-2023-27351 (CVSS 8.2): An improper authentication flaw affecting PaperCut NG/MF. This issue allows attackers to bypass authentication mechanisms via the SecurityRequestFilter class.  
• CVE-2024-27199 (CVSS 7.3): A relative path traversal vulnerability in JetBrains TeamCity that could enable attackers to carry out limited administrative actions.  
• CVE-2025-2749 (CVSS 7.2): A path traversal flaw in Kentico Xperience, permitting authenticated users to upload arbitrary data to specific paths via the Staging Sync Server.  
• CVE-2025-32975 (CVSS 10.0): A critical improper authentication vulnerability in Quest KACE Systems Management Appliance (SMA), enabling attackers to impersonate legitimate users without credentials.  
• CVE-2025-48700 (CVSS 6.1): A cross-site scripting (XSS) issue in Zimbra Collaboration Suite that allows execution of arbitrary JavaScript within a user session.  
• CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133: Three distinct vulnerabilities impacting Cisco Catalyst SD-WAN Manager, ranging from privilege escalation to exposure of sensitive information.  

Cisco Catalyst Vulnerabilities Under Active Exploitation 

Three of the eight newly listed flaws affect Cisco Catalyst SD-WAN Manager, denoting concerns around enterprise networking infrastructure security. These vulnerabilities include: 

• CVE-2026-20122 (CVSS 5.4): Improper use of privileged APIs, allowing attackers to upload or overwrite arbitrary files and gain elevated privileges.  
• CVE-2026-20128 (CVSS 7.5): Storage of passwords in a recoverable format, enabling local attackers to extract credentials and escalate access.  
• CVE-2026-20133 (CVSS 6.5): Exposure of sensitive information to unauthorized actors, potentially allowing remote attackers to access confidential system data.  

Continued Concerns Around CVE-2023-27351 and CVE-2024-27199 

The inclusion of CVE-2023-27351 in the KEV catalog is particularly significant given its history. In April 2023, exploitation of this vulnerability was linked to the Lace Tempest threat group, which used it to deploy Cl0p and LockBit ransomware. Its continued presence in active exploitation campaigns indicates that unpatched systems remain a viable target.  Similarly, CVE-2024-27199 follows an earlier related vulnerability, CVE-2024-27198, which was added to the KEV catalog in March 2024. While both affect JetBrains TeamCity, it remains unclear whether they are being exploited in tandem or by the same threat actors.

Zimbra Collaboration Suite Vulnerability Raises High-Risk Alert 

Another critical addition to the KEV catalog is CVE-2025-48700, affecting Zimbra Collaboration Suite. This vulnerability enables cross-site scripting attacks that can lead to unauthorized access to sensitive information. Security assessments classify this issue as High Risk, especially since it is already being exploited in the wild. 

Impact and Affected Versions 

The vulnerability impacts multiple versions of Zimbra Collaboration Suite, including: 

• Versions prior to 9.0.0 Patch 43  
• Versions prior to 10.0.12  
• Versions prior to 10.1.4  
• Versions prior to 8.8.15 Patch 47  

Attackers exploiting CVE-2025-48700 can inject malicious JavaScript into user sessions, potentially compromising sensitive data and enabling further attacks. 

Mitigation Measures 

To address this issue, users are advised to apply vendor-released patches: 

• Version 9.0.0 Patch 43  
• Version 10.0.12  
• Version 10.1.4  
• Version 8.8.15 Patch 47  

CISA recommends that organizations prioritize remediation efforts in line with KEV catalog guidance, especially vulnerabilities with confirmed exploitation activity. 

Federal Deadlines and Broader Implications 

With the addition of these vulnerabilities to the KEV catalog, CISA has also set remediation deadlines for federal agencies, spanning April to May 2026. These deadlines are part of Binding Operational Directive (BOD) requirements, which mandate timely patching of known exploited vulnerabilities.  The continued expansion of the KEV catalog, including high-profile entries like CVE-2023-27351, CVE-2024-27199, and Cisco Catalyst-related flaws, reflects a new threat landscape where attackers rapidly weaponize newly discovered weaknesses. Organizations beyond the federal sector are also encouraged to treat the KEV catalog as a priority reference for vulnerability management and risk mitigation. 

Lately, the Cybersecurity and Infrastructure Security Agency (CISA) has been buried under troubling headlines. Steep workforce reductions. $700 million 2027 budget cut. Leadership uncertainty. Impacts from the months-long partial government shutdown. Canceled 2026 CyberCorps: Scholarship for Service program. But, to borrow and twist a phrase from Shakespeare’s Julius Caesar, “I come to praise CISA, not […]

The post In Praise of CISA appeared first on CISO Whisperer.

The post In Praise of CISA appeared first on Security Boulevard.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Apache ActiveMQ to its Known Exploited Vulnerabilities catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in Apache ActiveMQ, tracked as CVE-2026-34197 (CVSS score of 8.8), to its Known Exploited Vulnerabilities (KEV) catalog.

CVE-2026-34197 is a critical flaw in Apache ActiveMQ caused by improper input validation and unsafe code execution. It affects the Jolokia JMX-HTTP bridge exposed via the web console, which allows execution of certain management operations.

An authenticated attacker can send crafted requests with a malicious discovery URI that forces the broker to load a remote Spring XML configuration. Because Spring initializes beans before validation, attackers can execute arbitrary code, for example via Runtime.exec(). This results in remote code execution on the broker’s JVM.

“Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String).” reads the advisory. “An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport’s brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring’s ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker’s JVM through bean factory methods such as Runtime.exec().”

The issue affects versions before 5.19.4 and 6.2.3, and users are strongly advised to upgrade.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerability by April 30, 2026.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft SharePoint Server, and Microsoft Office Excel flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Apple, Laravel Livewire and Craft CMS flaws to its Known Exploited Vulnerabilities (KEV) catalog.

Below are the flaws added to the catalog:

• CVE-2009-0238 Microsoft Office Remote Code Execution Vulnerability
• CVE-2026-32201 Microsoft SharePoint Server Improper Input Validation Vulnerability 

The first vulnerability added, tracked as CVE-2009-0238 (CVSS score of 9.3), affects multiple versions of Microsoft Excel and related viewers. It is triggered when a user opens a specially crafted Excel file that causes the application to access an invalid object in memory. This leads to memory corruption, allowing a remote attacker to execute arbitrary code on the affected system with the privileges of the user.

The vulnerability was actively exploited in the wild in February 2009, notably by the Trojan.Mdropper.AC malware, making it a significant real-world threat at the time.

The second flaw added to the catalog, tracked as CVE-2026-32201, is a critical SharePoint zero-day actively exploited in attacks in the wild, as reported by Microsoft.

CVE-2026-32201 (CVSS score of 6.5) is a spoofing vulnerability in Microsoft SharePoint Server, likely related to cross-site scripting (XSS). While details are limited, it could allow attackers to view or modify exposed information. Microsoft has not disclosed how widespread exploitation is, but given the potential impact, organizations, especially those with internet-facing SharePoint servers—should prioritize testing and applying the patch quickly.

“Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.” reads the advisory. “An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability).” “Exploitation Detected”

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerabilities by April 28, 2026.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Adobe, Fortinet, Microsoft Exchange Server, and Microsoft Windows flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Apple, Laravel Livewire and Craft CMS flaws to its Known Exploited Vulnerabilities (KEV) catalog.

Below are the flaws added to the catalog:

• CVE-2026-34621 Adobe Acrobat and Reader Prototype Pollution Vulnerability
• CVE-2012-1854 Microsoft Visual Basic for Applications Insecure Library Loading Vulnerability
• CVE-2020-9715 Adobe Acrobat Use-After-Free Vulnerability
• CVE-2023-21529 Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability
• CVE-2023-36424 Microsoft Windows Out-of-Bounds Read Vulnerability
• CVE-2025-60710 Microsoft Windows Link Following Vulnerability
• CVE-2026-21643 Fortinet SQL Injection Vulnerability

Last week, Adobe released emergency updates to address a critical vulnerability, tracked as CVE-2026-34621 (CVSS score of 8.6), in Adobe Acrobat Reader, which is being actively exploited. The flaw could allow attackers to execute malicious code on affected systems, making prompt patching essential to reduce the risk of compromise.

The vulnerability is an improperly controlled modification of object prototype attributes (‘Prototype Pollution’) that can lead to arbitrary code execution.

CISA also added to the KeV catalog the vulnerability CVE-2012-1854, which is an untrusted search path / DLL hijacking flaw affecting components of Microsoft Office VBA, specifically VBE6.dll used in Office and Visual Basic for Applications.

The third issue added to the catalog is the flaw CVE-2020-9715, which is a use-after-free issue that can lead to arbitrary code execution.        

The US agency also added CVE-2026-21643 flaw to the catalog. In February, Fortinet issued an urgent advisory to address a critical FortiClientEMS vulnerability, tracked as CVE-2026-21643 (CVSS score of 9.1).

The vulnerability is an improper neutralization of special elements used in an SQL Command (‘SQL Injection’) issue in FortiClientEMS. An unauthenticated attacker can trigger the flaw to execute unauthorized code or commands via specifically crafted HTTP requests.

A successful attack could give attackers an initial foothold in the target network, enabling lateral movement or malware deployment.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerabilities by April 27, 2026, except CVE-2026-21643, which must be addressed by April 16, 2026.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

See what you missed in Daily Tech Insider from April 6–10.

The post AI Expansion, Security Crises, and Workforce Upheaval Define This Week in Tech appeared first on TechRepublic.