Today’s roundup
U.S. CISA adds a flaw in Cisco Catalyst SD-WAN to its Known Exploited Vulnerabilities catalog
On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email
Researchers uncover YellowKey and GreenPlasma Windows Zero-Days
Pwn2Own Berlin 2026, Day One: $523,000 paid out, AI products fall
Ghostwriter group resumes attacks on Ukrainian Government targets
TanStack Supply Chain Attack Hits Two OpenAI Employee Devices, Forces macOS Updates
Stealer Backdoor Found in 3 Node-IPC Versions Targeting Developer Secrets
Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin
China-Linked Hackers Deploy New TencShell Malware Against Global Manufacturer
Broadcom releases VMware Fusion security update for root access bug
Summary
The U.S. CISA has added a critical authentication bypass vulnerability, CVE-2026-20182 (CVSS 10.0), in Cisco Catalyst SD-WAN Controller and Manager to its Known Exploited Vulnerabilities catalog. Federal agencies must patch this actively exploited zero-day by May 17, 2026, which allows unauthenticated remote attackers administrative access and network configuration manipulation.
Microsoft disclosed an actively exploited zero-day vulnerability, CVE-2026-42897 (CVSS 8.1), impacting on-premise Exchange Server versions. This spoofing bug, an XSS flaw, allows arbitrary code execution via crafted emails targeting Outlook on the web users. Mitigations are available for this critical flaw.
Security researcher Chaotic Eclipse disclosed two new unpatched Windows zero-days: YellowKey, a BitLocker bypass for Windows 11 and Server 2022/2025, and GreenPlasma, a privilege escalation flaw in the CTFMON framework for Windows 11 and Server 2022/2026. Proof-of-concept code is public, and related vulnerabilities by the same researcher have seen real-world exploitation.
Day one of Pwn2Own Berlin 2026 resulted in researchers earning $523,000 for 24 unique zero-day vulnerabilities across various technologies. Notable exploits included a Microsoft Edge sandbox escape, multiple Windows 11 privilege escalations, and compromises against NVIDIA, Linux, and AI platforms such as LiteLLM and OpenAI Codex.
The Belarus-aligned Ghostwriter (FrostyNeighbor) APT group has resumed sophisticated attacks targeting Ukrainian governmental organizations since March 2026. The campaign utilizes geofenced PDF spear-phishing emails that deploy PicassoLoader, collecting system information, with high-value targets manually receiving Cobalt Strike beacons.
OpenAI confirmed a security breach involving two employee devices impacted by the Mini Shai-Hulud supply chain attack on TanStack. This incident, affecting numerous npm and PyPI packages, prompted OpenAI to rotate code-signing certificates and recommend macOS updates, though no user data, production systems, or intellectual property were compromised.
Cybersecurity researchers identified a stealer backdoor within three new versions of the `node-ipc` npm package (9.1.6, 9.2.3, and 12.0.1). This malicious activity poses a significant supply chain risk by targeting developer secrets in projects relying on this widely used library.
A critical authentication bypass vulnerability in the Burst Statistics WordPress plugin is under active exploitation. Hackers are leveraging this flaw to obtain administrative access to affected websites, necessitating immediate patching for administrators.
A suspected China-linked threat actor has deployed new TencShell malware against the Indian branch of a global manufacturing company. The campaign utilizes an open-source offensive toolkit, signaling ongoing cyber espionage targeting industrial sectors with evolving custom tools.
Broadcom released a security update for VMware Fusion to fix a high-severity time-of-check time-of-use (TOCTOU) vulnerability, CVE-2026-41702. This flaw, reported by Mathieu Farrell, allows local non-administrative attackers to escalate privileges to root on macOS systems running the virtualization software.
Want to dig deeper?
Vulnerabilities
Malware Families