Vulnerabilities & Exploits
Cybersecurity news in this category

Microsoft Patches Record 570 Windows Vulnerabilities in July Update, Including Three Actively Exploited Zero-Days

WinFsp Vulnerability CVE-2026-3006 Allows Local Attackers to Escalate Privileges to SYSTEM via Race Condition in Kernel Driver

Progress Software Urges Businesses to Immediately Shut Down ShareFile Storage Zone Controller Servers Over Credible External Threat
OpenClaw AI Assistant Compromised via WhatsApp: Three Critical Vulnerabilities Allowed Credential Theft, Sandbox Escape, and Arbitrary Code Execution on Host
Security researchers discovered three high-severity vulnerabilities in OpenClaw that could let attackers steal credentials, escalate privileges, and execute arbitrary code on the host system running the AI assistant. Two flaws rated 8.8 on the CVSS scale stemmed from incomplete command filtering that failed to block dangerous inputs, while a third issue rated 8.4 enabled sandbox bypass by mounting parent directories such as /home or /var. The weaknesses potentially exposed sensitive data in ~/.ssh, ~/.aws, and ~/.gnupg, and even allowed attackers to reach the Docker socket for full host escape. Notably, the attack could be triggered remotely through an external WhatsApp message without any prior system access, according to researcher Chinmohan Nayak. All issues were patched in OpenClaw version 2026.6.6, and users are urged to update immediately while tightening sandbox and tool permissions.
IRIS C2 Zero-Day Marketplace: How Two Convicted Fraudsters Jack Berkman and Jacob Wohl Launched a Government-Facing Exploit Trading Operation
IRIS C2, a Virginia-based company promising up to $7 million for zero-day vulnerabilities and offensive hacking tools, is operated by Calvexa Group LLC and run by two previously convicted political provocateurs with histories of fraud and operating under false identities. Journalist Brian Krebs uncovered that the firm, which emerged on social media in January 2025, markets itself as a supplier of offensive cyber capabilities while actively recruiting young talent without requiring formal degrees or experience. The company claims to purchase zero-days, exploit chains, and ready-made attack tools for major platforms, then refine them into stable, weaponized products for sale primarily to government agencies, including phone-hacking solutions. Founders Jack Berkman and Jacob Wohl previously ran fake intelligence firms, spread false accusations against politicians, and were convicted in 2022 for wire fraud in Ohio, later receiving a $5.1 million FCC fine for illegal robocall campaigns. They also received $300,000 from a cryptocurrency theft suspect to lobby for a presidential pardon, continuing a pattern of deceptive business practices exposed by outlets including KrebsOnSecurity and Politico.
Don't Flash Your Keys on Social Media: Photos Can Be Used to 3D-Print Working Duplicates in Minutes
A cybersecurity specialist has demonstrated that ordinary photographs of keys posted on social media can be turned into functional duplicates using only publicly available tools. Red teamer Evan Ottinger showed how visible key profiles and cuts allow attackers to reconstruct the exact geometry and produce working copies via graphic editors and 3D printers. The entire process, from downloading a photo to having a usable plastic key, can take as little as 10-15 minutes and leaves no obvious traces on the lock, unlike traditional lockpicking methods. Ottinger tested the technique himself after initially doubting its effectiveness, confirming that the printed key successfully opened the corresponding lock. The researcher warns that both ordinary users and celebrities frequently share such images, treating physical keys like passwords that should never be displayed in close-up shots or stories. This physical attack vector raises serious concerns for security professionals because it bypasses digital protections while appearing completely normal to bystanders.
Critical CVSS 10.0 Vulnerabilities in Joomla SP Page Builder and Page Builder CK Enable One-Click Unauthenticated File Upload and Full Site Takeover
U.S. authorities have warned about three actively exploited vulnerabilities added to CISAโs Known Exploited Vulnerabilities catalog, urging immediate patching. The most severe issues, CVE-2026-48908 and CVE-2026-56290, affect Joomla extensions SP Page Builder and Page Builder CK respectively, both scoring 10.0 and allowing unauthenticated attackers to upload and execute arbitrary PHP files for complete site compromise. A third flaw, CVE-2026-55255 (CVSS 9.9), impacts the Langflow AI application platform and permits authenticated attackers to hijack other usersโ processes and access sensitive secrets. All three vulnerabilities are already being used in real-world attacks, though CISA has not disclosed attacker identities or victim counts. Federal agencies must remediate under BOD 26-04, while all organizations are advised to check for vulnerable components, apply fixes, and review logs for prior intrusions.
Windows Defender Patch for RoguePlanet Zero-Day Vulnerability May Exhaust Disk Space on Windows Systems
Microsoft released a security update addressing the RoguePlanet zero-day vulnerability (CVE-2026-50656) in the Microsoft Malware Protection Engine used by Windows Defender. The flaw, disclosed earlier by researcher NightmareEclipse, allowed remote attackers to gain administrative control over Windows 10 and Windows 11 even when real-time protection was disabled. While the patch was intended to resolve the issue and deploy automatically, the researcher now claims it introduces a new problem involving excessive disk writes. Specifically, the update may cause Defender to cache extremely large Zone.Identifier alternate data streams without size limits, potentially filling the entire drive. The attack vector involves a malicious SMB server that serves oversized metadata streams while maintaining the connection. Microsoft has not yet confirmed the reported behavior, and tensions between the company and the researcher continue over disclosure practices and bug bounty rewards.