Weekly Exploit Roundup

Generated 2026-06-23T08:00:11.338957+00:00 (UTC)

1. F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution
   Source: The Hacker News | Published: 2026-06-18T17:32:14+00:00 | Score: 20.812
   F5 has released security updates to address two critical security flaws in NGINX Open Source that could be exploited to achieve code execution on affected systems.

   The vulnerabilities are listed below –

   CVE-2026-42530 (CVSS v4 score: 9.2) – A use-after-free vulnerability in the ngx_http_v3_module that could be triggered by a remote unauthenticated attacker when NGINX Open Source is

2. Weekly Metasploit Update: NTLM Relay Priv Esc, MCP Server Integration, Paperclip AI RCE Chain, and more
   Source: Rapid7 Cybersecurity Blog | Published: 2026-06-19T17:08:23+00:00 | Score: 20.415
   This week's release includes five new modules, including a full unauthenticated RCE chain for Paperclip AI and a VS Code extension persistence technique. On the post-exploitation side, the new windows/local/ntlm_relay_2_self module coerces the local machine account to authenticate via OpenEncryptedFileRaw (WebDAV), relays that NTLM authentication to a Domain Controller's LDAP service, then uses the resulting LDAP session to write Shadow Credentials and obtain a Kerberos service ticket as Administrator via S4U2Proxy, enabling PsExec back to itself for SYSTEM access. On the enhancement side, the new MCP server plugin lets AI tools assist operators directly within a running msfconsole instance, and module check codes now return richer detail for users. New module content (5) Paperclip AI RCE using a chain of six API calls (CVE-2026-41679) Authors: Sagilayani https://github.com/sagilayani and h00die-gr3y h00die.gr3y@gmail.com Type: Exploit Pull request: #21547 contributed by h00die-gr3y Pa
3. CISA Adds One Known Exploited Vulnerability to Catalog
   Source: Alerts | Published: 2026-06-18T12:00:00+00:00 | Score: 16.548
   CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog , based on evidence of active exploitation. CVE-2026-20253 Splunk Enterprise Missing Authentication for Critical Function Vulnerability This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. Binding Operational Directive (BOD) 26-04: Prioritizing Security Updates Based on Risk establishes vulnerability management requirements for Federal Civilian Executive Branch (FCEB) agencies, updating BOD 22-01 . BOD 26-04 reinforces the importance of the KEV Catalog and requires federal agencies to prioritize rapid remediation of high-risk vulnerabilities, specifically those identified by Common Vulnerabilities and Exposures (CVEs) listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog on publicly exposed assets that grant total control of the asset post-exploitation, while deferring action for lower-risk vulnerabilities
4. CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution
   Source: The Hacker News | Published: 2026-06-17T05:50:46+00:00 | Score: 15.25
   The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a maximum-severity security flaw impacting Widget Factory Joomla Content Editor (JCE) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

   The vulnerability, tracked as CVE-2026-48907 (CVSS score: 10.0), is a case of improper access control that could facilitate arbitrary

5. Microsoft Confirms RoguePlanet Defender Zero-Day, Says Patch is in Development
   Source: The Hacker News | Published: 2026-06-17T17:36:28+00:00 | Score: 15.1
   Microsoft has formally disclosed that it's working to release a patch to address a Defender zero-day codenamed RoguePlanet.

   The vulnerability has now been assigned the CVE identifier CVE-2026-50656 (CVSS score: 7.8), with the tech giant describing it as a privilege escalation flaw.

   "Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender

6. The Top 10 Attack Surface Exposures in 2026
   Source: The Hacker News | Published: 2026-06-17T10:30:00+00:00 | Score: 14.889
   Breaches don't always start with a zero-day. An exposed admin panel can get brute-forced, or credentials reused from a previous attack. But when a vulnerability does drop — like MongoBleed earlier this year, which let attackers pull credentials and session tokens from server memory without authentication — anything internet-facing is immediately at risk.

   With time-to-exploit now down to a

7. Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys
   Source: The Hacker News | Published: 2026-06-20T09:56:04+00:00 | Score: 13.515
   Threat actors are exploiting a recently patched security flaw impacting Gravity SMTP, a WordPress plugin that's installed on about 100,000 sites.

   The vulnerability, tracked as CVE-2026-4020 (CVSS score: 5.3), is a medium-severity information disclosure flaw that can allow unauthenticated attackers to extract sensitive data, such as configuration data, API keys, secrets, and OAuth tokens

8. CISA Adds One Known Exploited Vulnerability to Catalog
   Source: Alerts | Published: 2026-06-16T12:00:00+00:00 | Score: 13.119
   CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog , based on evidence of active exploitation. CVE-2026-48907 Widget Factory Joomla Content Editor Improper Access Control Vulnerability This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. Binding Operational Directive (BOD) 26-04: Prioritizing Security Updates Based on Risk establishes vulnerability management requirements for Federal Civilian Executive Branch (FCEB) agencies, updating BOD 22-01 . BOD 26-04 reinforces the importance of the KEV catalog and requires federal agencies to prioritize rapid remediation of high-risk vulnerabilities, specifically those identified by Common Vulnerabilities and Exposures (CVEs) listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog on publicly exposed assets that grant total control of the asset post-exploitation, while deferring action for lower-risk vulnerabilities.
9. What the Latest ShinyHunters Breaches Reveal About Modern Cyberattacks
   Source: SecurityWeek | Published: 2026-06-22T10:30:00+00:00 | Score: 12.86
   Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. The post What the Latest ShinyHunters Breaches Reveal About Modern Cyberattacks appeared first on SecurityWeek .
10. Apple Patches Beats Studio Buds Flaw Letting Nearby Attackers Spy via Microphone
    Source: The Hacker News | Published: 2026-06-19T06:36:09+00:00 | Score: 12.701
    Apple has updated its Beats Studio Buds wireless earbuds to patch a high-severity vulnerability that could be exploited by nearby hackers to eavesdrop on users.

    The vulnerability, tracked as CVE-2025-20701 (CVSS score: 8.8), refers to a case of incorrect authorization impacting the Airoha Bluetooth audio SDK that makes it possible to pair a Bluetooth audio device without user consent.

End of report.