Weekly Exploit Roundup

Generated 2026-05-12T08:00:15.293188+00:00 (UTC)

1. GTIG AI Threat Tracker: Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access
   Source: Threat Intelligence | Published: 2026-05-11T14:00:00+00:00 | Score: 23.464
   Executive Summary Since our February 2026 report on AI-related threat activity, Google Threat Intelligence Group (GTIG) has continued to track a maturing transition from nascent AI-enabled operations to the industrial-scale application of generative models within adversarial workflows. This report, based on insights derived from Mandiant incident response engagements, Gemini, and GTIG’s proactive research, highlights the dual nature of the current threat environment where AI serves as both a sophisticated engine for adversary operations and a high-value target for attacks. We explore the following developments: Vulnerability Discovery and Exploit Generation: For the first time, GTIG has identified a threat actor using a zero-day exploit that we believe was developed with AI. The criminal threat actor planned to use it in a mass exploitation event but our proactive counter discovery may have prevented its use. Threat actors associated with the People’s Republic of China (PRC) and the De
2. cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor
   Source: The Hacker News | Published: 2026-05-11T17:54:00+00:00 | Score: 21.18
   A threat actor named Mr_Rot13 has been attributed to the exploitation of a recently disclosed critical cPanel flaw to deploy a backdoor codenamed Filemanager on compromised environments.
   The attack exploits CVE-2026-41940, a vulnerability impacting cPanel and WebHost Manager (WHM) that could result in an authentication bypass and allow remote attackers to gain elevated control of the control
3. Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution
   Source: The Hacker News | Published: 2026-05-06T06:14:00+00:00 | Score: 20.762
   Palo Alto Networks has released an advisory warning that a critical buffer overflow vulnerability in its PAN-OS software has been exploited in the wild.
   The vulnerability, tracked as CVE-2026-0300, has been described as a case of unauthenticated remote code execution. It carries a CVSS score of 9.3 if the User-ID Authentication Portal is configured to enable access from the internet or any
4. Metasploit Wrap-Up 05/08/2026
   Source: Rapid7 Cybersecurity Blog | Published: 2026-05-08T18:26:10+00:00 | Score: 19.453
   Spring cleanup This week’s Metasploit updates focused on foundational improvements and expanded target reach. Key enhancements were made to the recently released Copy Fail exploit module, which now benefits from payload fixes in linux/x64/exec and linux/armle/exec. These changes expand its capability, enabling the use of the cmd/unix/python/meterpreter/reverse_tcp payload on x64 targets and introducing support for ARMLE Linux. Additionally, the exploit/multi/http/shiro_rememberme_v124_deserialize module has been improved to allow operators to adjust the deserialization chain, enabling exploitation of a broader set of targets. Finally, several critical utility modules, including the FTP anonymous scanner and other FTP modules, received general fixes and updates. New module content (1) Anonymous FTP Access Detection Authors: Matteo Cantoni goony@nothink.org and g0tmi1k Type: Auxiliary Pull request: #21372 contributed by g0tmi1k Path: scanner/ftp/ftp_anonymous AttackerKB reference: CVE-19
5. Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access
   Source: The Hacker News | Published: 2026-05-07T17:55:00+00:00 | Score: 19.324
   Ivanti is warning that a new security flaw impacting Endpoint Manager Mobile (EPMM) has been explored in limited attacks in the wild.
   The high-severity vulnerability, CVE-2026-6973 (CVSS score: 7.2), is a case of improper input validation affecting EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1.
   It allows "a remotely authenticated user with administrative access to achieve remote code
6. MetInfo CMS CVE-2026-29014 Exploited for Remote Code Execution Attacks
   Source: The Hacker News | Published: 2026-05-05T11:56:00+00:00 | Score: 19.217
   Threat actors are actively exploiting a critical security flaw impacting an open-source content management system (CMS) known as MetInfo, according to new findings from VulnCheck.
   The vulnerability in question is CVE-2026-29014 (CVSS score: 9.8), a code injection flaw that could result in arbitrary code execution.
   "MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code
7. Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions
   Source: The Hacker News | Published: 2026-05-08T05:12:00+00:00 | Score: 19.159
   Details have emerged about a new, unpatched local privilege escalation (LPE) vulnerability impacting the Linux kernel.
   Dubbed Dirty Frag, it has been described as a successor to Copy Fail (CVE-2026-31431, CVSS score: 7.8), a recently disclosed LPE flaw impacting the Linux kernel that has since come under active exploitation in the wild. The vulnerability was reported to Linux kernel maintainers
8. PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage
   Source: The Hacker News | Published: 2026-05-07T13:34:00+00:00 | Score: 17.194
   Palo Alto Networks has disclosed that threat actors may have attempted to unsuccessfully exploit a recently disclosed critical security flaw as early as April 9, 2026.
   The vulnerability in question is CVE-2026-0300 (CVSS score: 9.3/8.7), a buffer overflow vulnerability in the User-ID Authentication Portal service of Palo Alto Networks PAN-OS software that could allow an unauthenticated attacker
9. Why Security in 2026 Requires Continuous Threat and Exposure Management (CTEM) at Scale
   Source: Rapid7 Cybersecurity Blog | Published: 2026-05-07T13:00:10+00:00 | Score: 16.577
   Let's be honest, the patching window just shrank to something no practitioner or organization can keep up with. Organizations now need to operate in an environment that must assume breach, which means fundamentals like attack surface management, micro-segmentation, identity management, and attack path validation – aka a few core pillars of CTEM – just became the most important initiatives within the cybersecurity department. Rapid7 is the only vendor that provides a truly unified platform to master Continuous Threat Exposure Management (CTEM) . How Rapid7 satisfies all 5 steps of the CTEM Framework Steps 1 and 2: Scoping and Discovery Achieving full visibility Rapid7 eliminates "unknown unknowns" by providing line-of-sight into 100% of your hybrid attack surface. Surface Command (CAASM): We establish a single source of truth by unifying asset and identity inventory from over 200 third-party vendors and native sources. Vulnerability Management: Our full-stack active scanning discovers s
10. Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE
    Source: The Hacker News | Published: 2026-05-05T16:19:00+00:00 | Score: 16.347
    The Apache Software Foundation (ASF) has released security updates to address several security vulnerabilities in the HTTP Server, including a severe vulnerability that could potentially lead to remote code execution (RCE).
    The vulnerability, tracked as CVE-2026-23918 (CVSS score: 8.8), has been described as a case of "double free and possible RCE" in the HTTP/2 protocol handling. This issue

End of report.