// LIVE THREAT INTEL, VERIFIED FAST. SOURCES ALWAYS CREDITED.
Cyber News
Critical
SharePoint RCE CVE-2026-45659 Is Being Actively Exploited - CISA Says Patch Now
CISA added CVE-2026-45659, a remote code execution flaw in Microsoft SharePoint Server (CVSS 8.8), to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. If you run on-prem SharePoint, this is now a patch-today situation.
Microsoft, SharePoint, KEV, RCE, actively exploited
->
Critical
Citrix Bleed 2 Exploited Within Hours of Disclosure - Now Feeding Ransomware Operations
A new CitrixBleed vulnerability in NetScaler appliances was exploited immediately after public disclosure using public PoC code, and Anubis ransomware affiliates are exploiting Citrix Bleed 2 (CVE-2025-5777) for initial access. If you run NetScaler, assume you are being scanned right now.
Citrix, NetScaler, ransomware, CitrixBleed, actively exploited
->
Critical
FortiBleed: Credentials From Hundreds of Thousands of FortiGate Firewalls Now Fueling INC and Lynx Ransomware
Researchers link the FortiBleed credential-theft campaign to active ransomware operations: credentials harvested from hundreds of thousands of FortiGate firewalls are being used by the INC and Lynx ransomware groups for initial access.
Fortinet, FortiGate, ransomware, credentials, INC, Lynx
->
Critical
Microsoft SharePoint RCE Added to CISA KEV After Active Exploitation (CVE-2026-45659)
CISA added a high-severity SharePoint Server remote code execution flaw (CVE-2026-45659, CVSS 8.8) to its Known Exploited Vulnerabilities catalog after confirming active exploitation. If you run on-prem SharePoint, this is now a patch-today item.
SharePoint, CVE, KEV, Microsoft, RCE, exploitation
->
Critical
New CitrixBleed Vulnerability Exploited Within Hours of Public Disclosure
Attackers began hitting NetScaler appliances with public proof-of-concept code almost immediately after a new CitrixBleed-class memory-disclosure flaw went public. The exploitation window between disclosure and attack is effectively zero.
CitrixBleed, NetScaler, Citrix, exploitation, PoC, zero-day window
->
Critical
Critical Cursor AI Editor Flaws (DuneSlide) Let a Single Prompt Run Code on Your Machine
Two flaws in the Cursor AI code editor, named DuneSlide (CVE-2026-50548 and a paired CVE), let an ordinary-looking prompt escape the editor's sandbox and execute arbitrary OS commands — zero-click, no approval box. It is a clean example of the AI toolchain becoming the attack surface.
Cursor, AI code editor, prompt injection, DuneSlide, RCE, AI security
->
Critical
First Ransomware Attack Run End-to-End by an AI Agent (JADEPUFFER)
Sysdig says it found the first ransomware attack executed start to finish by an AI agent — an LLM handled the break-in, credential theft, lateral movement, and encryption. It exploited a Langflow RCE to get in. Autonomous attackers are no longer hypothetical.
AI agent, ransomware, Langflow, RCE, autonomous attack, adversary simulation
->
High
FortiBleed: Credentials From Hundreds of Thousands of FortiGate Firewalls Fuel Ransomware
Researchers link credentials harvested from FortiGate firewalls (“FortiBleed”) to ransomware attacks by the INC and Lynx operations. A single class of edge-device leak is now feeding multiple ransomware crews.
FortiBleed, FortiGate, Fortinet, ransomware, INC, Lynx, credentials
->
High
Cisco Confirms Active Exploitation of Unified Communications Manager Flaw
Cisco confirmed attackers are exploiting a vulnerability in Unified Communications Manager. A public PoC has existed since disclosure, and the first exploitation attempts were seen within a week — another disclosure-to-attack gap measured in days.
Cisco, Unified CM, exploitation, PoC, patch, VoIP
->
High
Ransomware Crews Turn to Citrix Bleed 2, BYOVD, and Supply-Chain Credentials
Anubis-linked actors are chaining Citrix Bleed 2 (CVE-2025-5777) for initial access with legitimate RMM tools and bring-your-own-vulnerable-driver techniques. The tradecraft is deliberately built to look like normal admin activity.
ransomware, Citrix Bleed 2, BYOVD, RMM, Anubis, supply chain, living off the land
->
High
Medtronic Breach Hits 3.8 Million People After ShinyHunters Intrusion
Medical device maker Medtronic is notifying 3.8 million people that ShinyHunters accessed its corporate IT in April and stole personal and medical data. A reminder that healthcare breaches are a compliance and quantifiable-risk event, not just an IT one.
Medtronic, data breach, ShinyHunters, healthcare, HIPAA, compliance, risk
->
High
Adobe Patches 7 Maximum-Severity (CVSS 10.0) Flaws in ColdFusion and Campaign Classic
Adobe shipped fixes for seven CVSS 10.0 vulnerabilities in ColdFusion and Campaign Classic, enabling arbitrary code execution, privilege escalation, and file reads. ColdFusion has a long history of rapid post-patch exploitation — the clock starts now.
Adobe, ColdFusion, Campaign Classic, CVSS 10, patch, RCE
->
Notable
ConsentFix and ClickFix: Microsoft 365 Accounts Hijacked in Seconds via OAuth Abuse
New ConsentFix and ClickFix attacks steal Microsoft 365 session tokens in seconds using fake prompts and malicious OAuth consent flows — bypassing MFA entirely, because they steal the token that comes after authentication.
Microsoft 365, OAuth, ConsentFix, ClickFix, MFA bypass, phishing, identity
->
High
Unpatched Argo CD Flaw Could Let Attackers Take Over Kubernetes Clusters (No Fix Yet)
Synacktiv found an unauthenticated code-execution flaw in Argo CD's repo-server that can lead to full Kubernetes cluster takeover. There is no patch and no CVE assigned yet — mitigation is on you until Argo ships a fix.
Argo CD, Kubernetes, repo-server, RCE, unpatched, GitOps, supply chain
->