Hackers exploit FortiClient EMS flaw to push infostealer malware
The vulnerability is being actively exploited to deliver credential-stealing malware disguised as legitimate Fortinet updates through VPN scripting workflows.
Comparing 28 May 2026 with the previous day 27 May 2026.
The vulnerability is being actively exploited to deliver credential-stealing malware disguised as legitimate Fortinet updates through VPN scripting workflows.
137 Microsoft vulnerabilities published in May 2026, including critical RCE in Windows Netlogon and DNS Client with no known active exploitation.
ModeloRAT campaign exploits trusted Microsoft Teams as delivery vector for multi-stage attack with privilege escalation via CVE-2023-36036 to domain compromise, demonstrating that internal communication channels can be weaponized despite authentication mechanisms.
An unprivileged local user can exploit a race condition in AppArmor SAUCE patches to achieve arbitrary code execution, which is particularly relevant for multi-tenant environments.
An unprivileged local user can bypass AppArmor security policy enforcement through a heap overflow in notification handling code, posing a security risk on systems with AppArmor mandatory access control policies.
GreyVibe demonstrates a new attack model where Russia-linked threat actors systematically leverage AI tools to automate and escalate cyberoperations against Western targets.
GCHQ director confirms Russian daily operations against UK critical infrastructure (subsea cables, energy pipelines) and sanctions-evasion networks , signals escalated hybrid-warfare tactics with potential spillover effects on DACH energy and supply chains.
Chinese state-sponsored actors are using AI-driven automation to execute supply chain attacks in real time with minimal human involvement,a new escalation pattern for European manufacturing firms.
The vulnerability is actively being exploited in fresh attack campaigns post-April patch to deploy information-stealing malware.
Attackers abuse the trust relationship of endpoint management infrastructure to deliver malware directly to all managed endpoints via seemingly legitimate patches, enabling MFA bypass through stolen session cookies.
An unprivileged local user can trigger a memory-management bug in the kernel via AppArmor SAUCE patches, leading to slab metadata corruption and resource exhaustion.
The vulnerability allows an unprivileged local user to read sensitive information from kernel memory and can serve as a stepping stone for privilege-escalation attacks.
A privilege escalation vulnerability in the Linux kernel (AppArmor SAUCE patches) allows an unprivileged local user to trigger kernel panic or deadlock, causing system unavailability.
A locally-exploitable kernel panic in AppArmor requires a security update for Ubuntu production systems to maintain availability, but cannot be exploited remotely.
A remote code execution in Veeam Service Provider Console enables unauthorized access to backup infrastructure and potential compromise of business-critical data.
A vulnerability in 7-Zip enables arbitrary code execution by simply opening a malicious archive file, requiring no additional user interaction.
Both vulnerabilities enable remote code execution on critical backup systems, with at least one exploitable without authentication.
The vulnerability requires local access and causes kernel crash (DoS) but does not pose an immediate remote exploitation risk; patches for Ubuntu 6.8, 6.17, and 7.0 should be scheduled.
UNC6692 employs targeted social engineering via Teams fake invitations to deploy a modular custom malware suite,a tactic equally applicable to manufacturing environments.
The alert confirms a new Microsoft security update without details on active exploitation or campaigns; patch information should be validated via MSRC or BSI advisories.
Exploitation of this vulnerability allows local attackers to gain administrative privileges on Windows systems, potentially compromising backup integrity and enabling data exfiltration.
A critical vulnerability in Veeam allows authenticated Backup Administrators to write arbitrary files on Linux systems, potentially compromising the integrity of the backup infrastructure.
BSI update on multiple Intel processor vulnerabilities with privilege escalation and DoS potential requires patch management across all affected systems.
A BSI warning regarding multiple vulnerabilities in Veeam Backup & Replication signals elevated priority for patching, as this solution is central to the company's data protection and recovery strategy.
BSI advisory without specific CVE numbers or technical details; typical pattern of generic security warnings without documented active exploits in the wild.
BSI warns of multiple unspecified vulnerabilities in Adobe Creative Cloud applications without concrete CVE numbers or patching information; the advisory is generic and requires clarification of affected versions and available patches.
BSI warns of multiple yet-to-be-publicly-disclosed Edge vulnerabilities with unclear impact and exploit status; patch availability not announced.
The Gentlemen RaaS combines robust encryption with aggressive self-propagation and credential-theft campaigns, enabling rapid network-wide compromise.
CISA warns of currently active supply-chain attacks on multiple popular developer tools, with 42 TanStack packages comprising 84 versions compromised within 6,20 minutes; affected organizations should immediately reset credentials and audit installations.
Unpatched 0day in Windows library-ms with low CVSS (3.5) and user-interaction requirement; enables NTLM-response disclosure when viewing malicious folder content.
A yet-unpatched (0-day) Microsoft Office vulnerability enables disclosure of NTLM responses when exploited through user interaction, potentially laying groundwork for credential harvesting or follow-up attacks.
The BSI warning covers multiple unspecified kernel vulnerabilities but requires CVE details and kernel version information for concrete patching priorities.
The BSI advisory lacks specific CVE identifiers and technical exploitation details, complicating immediate risk assessment for Ubuntu 24.04 systems.
BSI notification of Microsoft's monthly patch day , routine security updates with no specific CVEs or exploitation status disclosed.
No changes in this category.
No changes in this category.
Unit 42 documents active, likely state-sponsored exploitation (CL-STA-1132) of a PAN-OS zero-day enabling unauthenticated remote code execution, targeting critical network perimeter infrastructure.
CL-STA-1132, a likely state-sponsored threat cluster, actively exploits CVE-2026-0300 and deploys open-source tunneling tools and Active Directory enumeration following initial compromise.
A remote code execution vulnerability in BeeStation Manager requires attention if the product is deployed, but does not affect standard Synology DSM devices typically used in manufacturing environments.
An authentication bypass in Synology DSM SSO module allows unauthorised access to NAS systems with knowledge of LDAP Distinguished Names, without requiring a password.
The vulnerability allows local users to install unsigned APP packages on PLCnext controllers without integrity verification, leading to root-level code execution,a critical risk for connected industrial automation systems.
The vulnerability allows any user in the same Entra ID domain to authenticate locally as another user on Unix systems because the DAG flow validates domain aliases but fails to verify the complete UPN username component.
The vulnerability enables passive network attackers to intercept sensitive healthcare data (patient identifiers, SMC-B operations, document content) in the Telematik infrastructure without active exploitation.
MuddyWater (Iranian state-sponsored APT) weaponizes Chaos ransomware as cover for targeted operations against Western infrastructure, masking state-sponsored intent as criminal RaaS activity.
Germany's Cabinet has granted the BKA new powers for active cyber defense, including the right to infiltrate and disrupt or destroy foreign IT systems , a measure that carries significant risks to uninvolved third parties, as attackers routinely use compromised systems as springboards.
State-sponsored actors differ fundamentally from financially motivated attackers: they do not use breaking-and-entering methods but instead compromise credentials and remain invisible for months using legitimate user tools.
The German bill explicitly regulates hackbacks and active cyber defense for the first time, defining new legal boundaries and options for cyber countermeasures for German and European companies.
The vulnerability requires local access and affects only sensitive parameter queries; no CVSS score or exploitability details are provided.
OceanLotus leverages legitimate Python package repositories (PyPI) as a malware distribution channel to compromise developers and organizations with Python dependencies,a sophisticated supply-chain approach with potential DACH implications.
A local validation flaw in Synology ActiveProtect Agent allows locally authenticated users to write arbitrary files with restricted content during installation, potentially compromising backup operation integrity.
The vulnerability allows local attackers to write arbitrary files with restricted content during installation,an installation-time attack that requires privileged access and therefore poses moderate risk to isolated backup systems.
The vulnerability allows local users to write arbitrary files with restricted content during installation,a critical risk in production environments where installation runs with elevated privileges.
The vulnerability allows already-authenticated administrators to obtain sensitive information via undocumented vectors , an insider-risk scenario in surveillance-critical systems.
The vulnerability allows authenticated administrators to access sensitive export keys in cleartext, posing a significant data risk for surveillance systems.
Five critical vulnerabilities in UniFi OS Server enable unauthorized system access by network-adjacent attackers; CVE-2026-34908 with CVSS score 10.0 represents maximum risk.
Kali365 bypasses MFA by stealing access and refresh tokens rather than passwords, enabling persistent access to Outlook, Teams, and OneDrive without repeated login attempts.
Microsoft Patch Tuesday for May 2026 includes 137 vulnerabilities with 31 critical, including RCEs in Windows Services, Office, Azure and SharePoint , no active exploitation observed.
The vulnerability requires existing elevated admin privileges and restricts write access to unspecified vectors, reducing practical exploitation risk for external attackers.
Unit 42 documents advanced AD CS misuse techniques for privilege escalation through misconfigured certificate templates and PKINIT-based authentication bypass observed in nation-state attack campaigns.
The BSI warns of a critical remote code execution vulnerability in 7-Zip when processing NTFS archives, which requires user interaction but poses significant security implications.
BSI advisory covering multiple vulnerabilities in Microsoft Developer Tools without specific CVE numbers or exploitation status , typically aggregated patch information from ongoing security updates.
BSI warning on multiple OpenSSL vulnerabilities without specific CVE references , requires clarification via direct BSI source or CISA cross-reference for concrete patching priorities.
SymJack demonstrates that AI coding agents can be tricked via malicious symlinks and repositories into installing attacker-controlled MCP servers, enabling compromise of CI/CD pipelines and secret exfiltration.
The BSI alert documents an active threat to Synology NAS systems commonly deployed in the DACH region, without a CVE identifier available, suggesting ongoing analysis or embargo-protected disclosure.
BSI warns of multiple unspecified Chrome vulnerabilities without naming specific CVE IDs or affected versions; the exact risk remains unclear until full disclosure.
The vulnerability allows an attacker with access to a non-CA certificate to forge arbitrary leaf certificates and thereby impersonate servers or clients in mTLS environments, representing a fundamental breach of the PKI chain of trust.
Akira intrusion demonstrates typical pattern: initial authentication via SSLVPN, lateral movement exclusively via RDP over two days, Kerberoasting and defense evasion through Event Log deletion,all activity was visible in standard logs but required proactive correlation between firewall and endpoint logs.
Attackers combine search engine poisoning with AI chatbot manipulation to distribute counterfeit utility downloads that inject GPU-mining malware via DLL sideloading,an escalation of supply-chain social engineering tactics.
A critical vulnerability in 7-Zip allows code injection through archives and requires prompt patching across all affected company systems.
Microsoft announces an automatic network isolation feature in Defender that will proactively limit damage upon attack detection,a preventive defensive capability rather than a patch.
BSI warning regarding multiple unspecified Linux kernel vulnerabilities without concrete CVE identifiers complicates risk prioritization for organizations with Ubuntu deployments.
The vulnerability causes an ABBA deadlock in filesystem operations and can cause system hang, but only under specific conditions (blocksize < pagesize).