Industrial Sector
- Siemens SIMATIC
"SIMATIC CN 4100 contains multiple vulnerabilities which could potentially lead to a compromise in availability, integrity and confidentiality. Siemens has released a new version for SIMATIC CN 4100 and recommends to update to the latest version."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-10 - Siemens Ruggedcom Rox
"Ruggedcom Rox before v2.17.1 contain multiple third-party vulnerabilities. Siemens has released new versions for the affected products and recommends to update to the latest versions."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-16 - Universal Robots Polyscope 5
"Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication and execute code."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-17 - Siemens Siemens ROS#
"ROS# contains a ROS service file_server, that before version 2.2.2 contains a path traversal vulnerability which could allow an attacker to access, i.e. read and write, arbitrary files, which are accessible with the user rights of the user that runs the service, on the system that hosts service. Siemens has released a new version for ROS# and recommends to update to the latest version."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-08 - Siemens Ruggedcom Rox
"Ruggedcom Rox contains an input validation vulnerability in the Scheduler functionality that could allow an authenticated remote attacker to execute arbitrary commands with root privileges on the underlying operating system. Siemens has released new versions for the affected products and recommends to update to the latest versions."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-12 - Siemens SENTRON 7KT PAC1261 Data Manager
"The web server in SENTRON 7KT PAC1261 Data Manager Before V2.1.0 contains a request smuggling vulnerability in the Go Project's net/http package that could allow an attacker to retrieve authorization tokens that can be used to gain administrative control over the device. Siemens has released a new version for SENTRON 7KT PAC1261 Data Manager and recommends to update to the latest version."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-14 - Siemens SIMATIC S7 PLC Web Server
"SIMATIC S7 PLCs contain multiple vulnerabilities in the web server that could allow an attacker to perform cross-site scripting attacks. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-15 - Siemens gWAP
"Siemens gPROMS Web Applications Publisher (gWAP) is affected by a remote code execution vulnerability introduced through a third-party component, namely the Axios HTTP client library. The vulnerability stems from a specific "Gadget" attack chain that allows prototype pollution in other third-party libraries, potentially allowing an attacker to execute arbitrary code. Siemens has released a new version for gWAP and recommends to update to the latest version."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-01 - Siemens Ruggedcom Rox
"Ruggedcom Rox contains an improper access control vulnerability that could allow an authenticated remote attacker to read arbitrary files with root privileges from the underlying operating system's filesystem. Siemens has released new versions for the affected products and recommends to update to the latest versions."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-02 - Siemens Solid Edge
"Solid Edge SE2026 before Update 5 is affected by two file parsing vulnerabilities that could be triggered when the application reads specially crafted files in PAR format. This could allow an attacker to crash the application or execute arbitrary code. Siemens has released a new version for Solid Edge SE2026 and recommends to update to the latest version."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-03 - Siemens Teamcenter
"Siemens Teamcenter is affected by multiple vulnerabilities which could potentially lead to a compromise in availability, integrity and confidentiality. Siemens has released new versions for the affected products and recommends to update to the latest versions."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-04 - Siemens Simcenter Femap
"Simcenter Femap is affected by heap based buffer overflow vulnerability in Datakit library that could be triggered when the application reads files in IPT format. If a user is tricked to open a malicious file with the affected application, an attacker could leverage the vulnerability to perform remote code execution in the context of the current process. Siemens has released a new version for Simcenter Femap and recommends to update to the latest version."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-05 - Siemens Industrial Devices
"Multiple industrial devices contain a vulnerability that could allow an attacker to cause a denial of service condition. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-06 - Siemens SIMATIC
"SIMATIC HMI Unified Comfort Panels before V21.0 are affected by a vulnerability that allows an unauthenticated attacker to access the web browser via the help link. This vulnerability allows an attacker to access the web browser through the Control Panel if it is not protected by the corresponding security mechanisms. This opens the possibility for the attacker to find backdoors, which might lead to unwanted misconfigurations. Siemens has released new versions for the affected products and recommends to update to the latest versions."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-07 - Siemens Opcenter RDnL
"Opcenter RDnL is affected by missing authentication in critical function in ‘ActiveMQ Artemis’. An unauthenticated attacker within the adjacent network could use the Core protocol to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. This could potentially result in availability impacts or message injection into any queue via the rogue broker. Breaking the integrity of a message has a low impact due to missing auto refresh functionality and it does not contain any confidential information. ActiveMQ Artemis has released a new version and Siemens recommends to update to the latest version."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-09 - Siemens Ruggedcom Rox
"Ruggedcom Rox contains an input validation vulnerability in the feature key installation process that could allow an authenticated remote attacker to execute arbitrary commands with root privileges on the underlying operating system. Siemens has released new versions for the affected products and recommends to update to the latest versions."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-11 - Siemens SIPROTEC 5
"The SIPROTEC 5 devices do not use sufficiently random numbers to generate session identifiers. This could facilitate a brute-force attack against a valid session identifier which could allow an unauthenticated remote attacker to hijack a valid user session. The affected session identifiers are only used in a subset of the endpoints that are provided by the affected products. Siemens is preparing fix versions and recommends countermeasures for products where fixes are not, or not yet available."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-13
Vulnerabilities
- 200,000 WordPress Sites At Risk From Critical Authentication Bypass Vulnerability In Burst Statistics Plugin
"On May 8, 2026, PRISM, Wordfence Threat Intelligence’s autonomous vulnerability research platform, discovered a critical Authentication Bypass vulnerability in Burst Statistics, a WordPress plugin with more than 200,000 active installations. The vulnerability was introduced in the code on April 23, 2026, discovered just 15 days later, and patched 19 days later, highlighting the positive impact that AI can have on reducing the window for attackers to find and target new vulnerabilities in WordPress. This vulnerability allows unauthenticated attackers who know a valid administrator username to fully impersonate that administrator for the duration of any REST API request, including WordPress core endpoints such as /wp-json/wp/v2/users, by supplying any arbitrary and incorrect password in a Basic Authentication header. In a worst-case scenario, an attacker could exploit this flaw to create a new administrator-level account with no prior authentication whatsoever."
https://www.wordfence.com/blog/2026/05/200000-wordpress-sites-at-risk-from-critical-authentication-bypass-vulnerability-in-burst-statistics-plugin/
https://www.bleepingcomputer.com/news/security/hackers-exploit-auth-bypass-flaw-in-burst-statistics-wordpress-plugin/ - Ongoing Exploitation Of Cisco Catalyst SD-WAN Vulnerabilities
"Cisco Talos is tracking the active exploitation of CVE-2026-20182, an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage. Successful exploitation of CVE-2026-20182 allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. The exploitation of CVE-2026-20182 appears to have been limited so far and Talos clusters this activity under UAT-8616 with high confidence."
https://blog.talosintelligence.com/sd-wan-ongoing-exploitation/
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW
https://www.bleepingcomputer.com/news/security/cisco-warns-of-new-critical-sd-wan-flaw-exploited-in-zero-day-attacks/
https://www.darkreading.com/vulnerabilities-threats/maximum-severity-cisco-sd-wan-bug-exploited
https://thehackernews.com/2026/05/cisco-catalyst-sd-wan-controller-auth.html - NGINX Rift: Achieving NGINX Remote Code Execution Via An 18-Year-Old Vulnerability
"We used depthfirst’s system to analyze the NGINX source code, and it autonomously discovered 4 remote memory corruption issues, including a critical heap buffer overflow introduced in 2008. We further investigated the exploitability of the issues, and developed a working proof of concept demonstrating RCE with ASLR off. If you use rewrite and set directives in your NGINX configuration, you’re at risk. In mid-April, I was chatting with a colleague about the most vulnerable spot in our infrastructure. Since most of our services live entirely inside a private network, our app platform is the only exposed surface. He joked that achieving remote code execution on our web service would mean hacking into depthfirst completely. Hacking the web service itself is not my usual focus. However, the idea of hacking the underlying web server intrigued me, which directed my attention to NGINX."
https://depthfirst.com/research/nginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability
https://my.f5.com/manage/s/article/K000161019
https://thehackernews.com/2026/05/18-year-old-nginx-rewrite-module-flaw.html
https://www.bleepingcomputer.com/news/security/18-year-old-nginx-vulnerability-allows-dos-potential-rce/
https://securityaffairs.com/192132/hacking/nginx-rift-an-18-year-old-flaw-in-the-worlds-most-deployed-web-server-just-came-to-light.html - New Fragnesia Linux Flaw Lets Attackers Gain Root Privileges
"Linux distros are rolling out patches for a new high-severity kernel privilege escalation vulnerability that allows attackers to run malicious code as root. Known as Fragnasia and tracked as CVE-2026-46300, this security flaw stems from a logic bug in the Linux XFRM ESP-in-TCP subsystem that can enable unprivileged local attackers to gain root privileges by writing arbitrary bytes to the kernel page cache of read-only files. Zellic's head of assurance, William Bowling, who discovered this new universal local privilege escalation flaw, also shared a proof-of-concept (PoC) exploit that achieves a memory-write primitive in the kernel that is used to corrupt the page cache memory of the /usr/bin/su binary to get a shell with root privileges on vulnerable systems."
https://www.bleepingcomputer.com/news/security/new-fragnesia-linux-flaw-lets-attackers-gain-root-privileges/
https://github.com/v12-security/pocs/tree/main/fragnesia
https://thehackernews.com/2026/05/new-fragnesia-linux-kernel-lpe-grants.html
https://www.infosecurity-magazine.com/news/fragnesia-linux-kernel-lpe-root/
https://www.securityweek.com/new-linux-kernel-vulnerability-fragnesia-allows-root-privilege-escalation/
https://securityaffairs.com/192145/uncategorized/linux-kernel-bug-fragnesia-allows-local-root-access-attacks.html
https://www.theregister.com/security/2026/05/14/dirty-frag-gets-a-sequel-as-fragnesia-hands-linux-attackers-root-level-access/5240270 - F5 Patches Over 50 Vulnerabilities
"F5 on Wednesday announced fixes for over 19 high-severity and 32 medium-severity vulnerabilities impacting BIG-IP, BIG-IQ, and NGINX. Based on the CVSS score, the most severe of the resolved issues is CVE-2026-42945 (CVSS v4.0 score of 9.2), a denial-of-service (DoS) condition in NGINX’s ngx_http_rewrite_module module. The bug allows an unauthenticated attacker to send crafted HTTP requests that, combined with certain conditions beyond the attacker’s control, could trigger a heap buffer overflow and a restart. If Address Space Layout Randomization (ASLR) is disabled, the flaw can be exploited for code execution."
https://www.securityweek.com/f5-patches-over-50-vulnerabilities/ - CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-20182 Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/05/14/cisa-adds-one-known-exploited-vulnerability-catalog
https://securityaffairs.com/192157/hacking/u-s-cisa-adds-a-flaw-in-cisco-catalyst-sd-wan-to-its-known-exploited-vulnerabilities-catalog.html - CVE-2026-44338: PraisonAI Authentication Bypass In Under 4 Hours And The Growing Trend Of Rapid Exploitation
"On May 11, 2026, GitHub published advisory GHSA-6rmh-7xcm-cpxj, tracked as CVE-2026-44338 for PraisonAI, an open-source multi-agent orchestration framework with ~7,100 GitHub stars. The legacy api_server.py entrypoint shipped with authentication disabled by default, exposing two endpoints, GET /agents and POST /chat, to any caller. Within three hours and 44 minutes of the advisory becoming public, a scanner identifying itself as CVE-Detector/1.0 was probing the exact vulnerable endpoint on internet-exposed instances. The advisory was published at 13:56 UTC. The first targeted request landed at 17:40 UTC the same day."
https://www.sysdig.com/blog/cve-2026-44338-praisonai-authentication-bypass-in-under-4-hours-and-the-growing-trend-of-rapid-exploitation
https://www.securityweek.com/hackers-targeted-praisonai-vulnerability-hours-after-disclosure/ - High-Severity Vulnerability Patched In VMware Fusion
"Broadcom announced on Thursday that it has released a VMware Fusion update to patch a high-severity vulnerability. The flaw, tracked as CVE-2026-41702 and rated ‘important’ by the vendor, was reported by Mathieu Farrell. An advisory describes CVE-2026-41702 as a time-of-check time-of-use (TOCTOU) flaw that “occurs during an operation performed by a SETUID binary”. “A malicious actor with local non-administrative user privileges may exploit this vulnerability to escalate privileges to root on the system where Fusion is installed,” the advisory explains."
https://www.securityweek.com/high-severity-vulnerability-patched-in-vmware-fusion/
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37454
https://thehackernews.com/2026/05/praisonai-cve-2026-44338-auth-bypass.html
https://securityaffairs.com/192136/security/broadcom-releases-vmware-fusion-security-update-for-root-access-bug.html
Malware
- Help-Desk Lures Drop KongTuke's Evolved ModeloRAT
"Threat actors are impersonating help-desk staff over external Microsoft Teams chats to trick victims into deploying "ModeloRAT" on their own machines. ReliaQuest attributes the activity to financially motivated initial access broker (IAB) "KongTuke" based on reuse of the group's custom Python loader. Previously, KongTuke has compromised WordPress sites to host "ClickFix" and "CrashFix" lures and paste-and-run prompts on fake CAPTCHA or browser-crash pages for access that has historically fed ransomware affiliates. This Teams activity, which appears to add to, rather than replace, that web-based approach, marks the first time we’ve seen KongTuke use a collaboration platform for initial access. In the incidents we investigated, a single external Teams chat moved the operator from cold outreach to a persistent foothold in under five minutes."
https://reliaquest.com/blog/threat-spotlight-help-desk-lures-drop-kongtukes-evolved-modelorat
https://www.bleepingcomputer.com/news/security/kongtuke-hackers-now-use-microsoft-teams-for-corporate-breaches/ - Chinese APT Campaign Targets Entities With Updated FDMTP Backdoor
"Darktrace have identified activity consistent with Chinese-nexus operations, a Twill Typhoon-linked campaign targeting customer environments, primarily within the Asia-Pacific & Japan (APJ) region. Beginning in late September 2025, multiple affected hosts were observed making requests to domains impersonating content delivery networks (CDNs), including infrastructure masquerading as Yahoo- and Apple-affiliated services. Across these cases, Darktrace identified a consistent behavioral execution pattern: the retrieval of legitimate binaries alongside malicious Dynamic Link Libraries (DLLs), enabling sideloading and execution of a modular .NET-based Remote Access Trojan (RAT) framework."
https://www.darktrace.com/blog/chinese-apt-campaign-targets-entities-with-updated-fdmtp-backdoor
https://www.infosecurity-magazine.com/news/mustang-panda-fdmtp-backdoor-apj/
https://www.bankinfosecurity.com/mustang-panda-linked-to-new-modular-fdmtp-backdoor-a-31696
https://hackread.com/chinatwill-typhoon-fake-apple-yahoo-sites-espionage/ - FrostyNeighbor: Fresh Mischief And Digital Shenanigans
"This blogpost covers newly discovered activities attributed to FrostyNeighbor, targeting governmental organizations in Ukraine. FrostyNeighbor has been running continual cyberoperations, changing and updating its toolset regularly, updating its compromise chain and methods to evade detection – targeting victims located in Eastern Europe, according to our telemetry."
https://www.welivesecurity.com/en/eset-research/frostyneighbor-fresh-mischief-digital-shenanigans/
https://thehackernews.com/2026/05/ghostwriter-targets-ukrainian.html
https://www.darkreading.com/cyberattacks-data-breaches/frostyneighbor-apt-govt-orgs-poland-ukraine - Instead Of a Job—stolen Data And Money. Trojan Stealer Targeting MacOS And Windows Users Conceals Itself In Fake Online Interview Apps
"Doctor Web’s experts are warning users about the spread of JobStealer, a trojan app that steals confidential information from macOS and Windows computer users. It primarily aims to hijack data from crypto wallets. Fraudsters, under the pretext of conducting online interviews, lure potential victims to malicious websites and ask them to download a video conferencing app. In reality, this software is the JobStealer trojan."
https://news.drweb.com/show/?i=15253&lng=en
https://hackread.com/fake-job-interview-jobstealer-malware-windows-macos/ - OrBit (Re)turns: Tracking An Open-Source Linux Rootkit Across Four Years Of Forks And Deployments
"In July 2022, we published the first analysis of OrBit, a then-undocumented Linux userland-rootkit that stood out for its comprehensive libc hooking, SSH backdoor access, and PAM-based credential harvesting. At the time, OrBit appeared as a single sample with a single operator fingerprint, and the codebase itself looked customized. It wasn’t. As we will show below, OrBit is a repackaged and selectively weaponized build of Medusa, an open-source LD_PRELOAD rootkit published on GitHub in December 2022. The story of OrBit’s four-year evolution is not one of novel development; it’s the story of how a publicly available rootkit was forked, configured, and redeployed."
https://intezer.com/blog/orbit-returns/ - Device Code Phishing Is An Evolution In Identity Takeover
"Credential phishing remains an effective technique enabling everything from account takeover and fraud to ransomware and espionage. However, as organizations become better at defending against common phishing techniques such as multifactor authentication (MFA) phishing, cyber threat actors have expanded their capabilities to techniques like device code and OAuth phishing. When combined with LLM-generated tools and social engineering, criminals can use such techniques to target more people with new social engineering tricks at scale."
https://www.proofpoint.com/us/blog/threat-insight/device-code-phishing-evolution-identity-takeover - Kimsuky Targets Organizations With PebbleDash-Based Tools
"Over the past few months, we have conducted an in-depth analysis of specific activity clusters of Kimsuky (aka APT43, Ruby Sleet, Black Banshee, Sparkling Pisces, Velvet Chollima, and Springtail), a prolific Korean-speaking threat actor. Our research revealed notable tactical shifts throughout multiple phases of the group’s latest campaigns. Kimsuky has continuously introduced new malware variants based on the PebbleDash platform, a tool historically leveraged by the Lazarus Group but appropriated by Kimsuky since at least 2021. Our monitoring indicates various strategic updates to the group’s arsenal, including the use of VSCode Tunneling, Cloudflare Quick Tunnels, DWAgent, large language models (LLMs), and the Rust programming language. This expanding set of tools underscores the group’s ongoing adaptation and evolution."
https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/ - Popular Node-Ipc Npm Package Infected With Credential Stealer
"Socket’s threat feed has detected malicious activity in newly published versions of node-ipc, a long-running npm package previously associated with one of the most widely discussed supply chain incidents in the JavaScript ecosystem."
https://socket.dev/blog/node-ipc-package-compromised
https://www.stepsecurity.io/blog/node-ipc-npm-supply-chain-attack
https://thehackernews.com/2026/05/stealer-backdoor-found-in-3-node-ipc.html
Operation SilentCanvas : JPEG Based Multistage Powershell Intrusion
"At CYFIRMA, we identified a highly sophisticated multi-stage intrusion campaign leveraging a weaponized PowerShell payload disguised as a legitimate JPEG image file to deploy a trojanized instance of ConnectWise ScreenConnect for covert and persistent remote access. The intrusion likely originated through social engineering techniques such as phishing emails, malicious attachments, deceptive file-sharing interactions, or fake update lures involving a malicious file named sysupdate.jpeg. The payload was specifically crafted to exploit user trust and bypass conventional file-extension validation mechanisms while blending malicious activity with legitimate enterprise software."
https://www.cyfirma.com/research/operation-silentcanvas-jpeg-based-multistage-powershell-intrusion/
อ้างอิง
Electronic Transactions Development Agency (ETDA) 
Research has identified two emerging threat campaigns that used agentic AI to drive intrusion operations against government entities and financial organizations across several countries in Latin America. Though evidence suggests that the two groups are likely separate entities, they share strikingly similar tactics, as we detail in this report. This degree of overlap suggests that AI-assisted attacks are becoming a broader pattern among threat actor groups."
