Threat Alerts

A local privilege escalation affecting the CIFS client and userland cifs-utils allows an unprivileged account to obtain root by supplying a forged cifs.spnego upcall. The flaw enables malicious users to influence kernel handling of authentication descriptions, risking local root compromise.

The issue arises from interaction between the kernel CIFS client and a userspace helper that supplies SPNEGO descriptions. An attacker with local access can craft or hijack the userspace upcall providing SPNEGO data; the kernel accepted those descriptions and could be driven to escalate privileges. A kernel-side change to reject userspace-provided cifs.spnego descriptions has been published and is queued for stable backports; userspace updates are also implicated.

Microsoft has released out-of-band security updates addressing a high-severity remote code execution (RCE) vulnerability in on-premises Microsoft SharePoint Server, tracked as CVE-2026-45659 (CVSS 8.8). The vulnerability stems from unsafe deserialization of untrusted data within SharePoint, allowing a low-privileged authenticated attacker to submit specially crafted serialized payloads that may result in arbitrary code execution on the SharePoint server. Microsoft stated that exploitation requires only network access and a minimum Site Member-level account, without requiring administrator privileges or user interaction.

Successful exploitation could enable server-side code execution, lateral movement, persistence, credential access, and compromise of connected enterprise environments. The vulnerability is rooted in insecure handling of serialized objects within SharePoint request-processing components, where insufficient validation allows malicious payloads to trigger code execution during deserialization. Although Microsoft currently assesses exploitation as “less likely,” SharePoint vulnerabilities involving deserialization flaws have historically been rapidly weaponized following disclosure.

GitHub has released GitHub Enterprise Server (GHES) 3.20.3, addressing multiple security vulnerabilities, including a critical pre-authentication Server-Side Request Forgery (SSRF) vulnerability tracked as CVE-2026-9312 (CVSS 9.2). The flaw stems from insufficient input validation in an upload endpoint and could allow an attacker with network access to a GHES instance to send crafted requests to internal services, potentially exposing sensitive credentials and internal resources without requiring authentication.

The update also addresses a high-severity SSRF and information disclosure vulnerability, CVE-2026-8606, affecting the security advisories package lookup feature. On affected instances, attackers could leverage a timing side-channel attack and abuse package URL handling to access sensitive environment variables and interact with internal services. Depending on the configuration, exploitation could require no authentication or only a low-privileged authenticated account. GitHub mitigated the issue by removing the vulnerable endpoint entirely.

Additionally, GHES 3.20.3 incorporates fixes for the recently disclosed Dirty Frag Linux kernel vulnerabilities, CVE-2026-43284 (CVSS 8.8) and CVE-2026-43500 (CVSS 7.8), which could allow a local attacker to escalate privileges to root on affected systems. GitHub also announced the revocation of its previous GHES package signing key, requiring administrators to rotate GPG public keys before applying future updates.

A high-severity authentication bypass vulnerability affecting Palo Alto Networks PAN-OS and Prisma Access is being actively exploited in the wild. Tracked as CVE-2026-0257 (CVSS 7.8), the flaw was recently added to CISA’s Known Exploited Vulnerabilities (KEV) catalog following observed exploitation targeting GlobalProtect deployments.

CVE-2026-0257 enables a remote, unauthenticated attacker to forge authentication override cookies and establish unauthorized VPN connections through the GlobalProtect gateway. The vulnerability affects deployments using the optional authentication override feature, which issues session cookies to authenticated users. Under specific configurations where the certificate used to encrypt these cookies is shared with another service, such as the portal HTTPS service, an attacker can obtain the public key, forge valid authentication cookies, and bypass authentication without requiring legitimate credentials.

Observed exploitation activity involved attackers issuing forged authentication override cookies to GlobalProtect gateways while targeting local administrator accounts. The activity originated from commercial hosting infrastructure and leveraged spoofed hostnames and MAC addresses to appear as legitimate endpoints. In some cases, the attacks resulted in successful VPN session establishment, providing direct access to internal network resources. The repeated use of the same spoofed MAC address across multiple intrusion attempts suggests a coordinated campaign likely conducted by a single threat actor.

Google has released a major security update for Google Chrome addressing more than 150 vulnerabilities, including multiple critical-severity flaws that could enable remote code execution, sandbox escape, and full system compromise through specially crafted web content. The most severe vulnerabilities include CVE-2026-9874 (CVSS 9.6), a Use-After-Free flaw in the Dawn graphics component that may allow attackers to escape the browser sandbox via a crafted HTML page; CVE-2026-9886 (CVSS 9.6), another critical memory corruption vulnerability; CVE-2026-9881 (CVSS 9.0); and CVE-2026-9891, all of which affect core browser components involved in content rendering and memory handling. Google stated that details for many of the vulnerabilities will remain temporarily restricted until a majority of users receive the fixes.

Several of the critical vulnerabilities involve memory corruption conditions, such as Use-After-Free and heap manipulation weaknesses, which are frequently leveraged by threat actors to achieve arbitrary code execution or browser sandbox escape. Successful exploitation could allow attackers to compromise systems through malicious websites or crafted web content, potentially leading to credential theft, malware delivery, session compromise, or follow-on exploitation activity.

A North Korean state-sponsored threat group has been observed conducting a multi-stage intrusion campaign targeting macOS environments across high-value financial sectors, including venture capital firms, Web3 developers, and cryptocurrency organizations. Active since 2020, the group has steadily evolved its methods from simple malicious macros to sophisticated, native macOS components designed to strip target endpoints of cryptographic keys and operational identities. This latest activity marks a sharp shift toward trust abuse over traditional technical exploitation, with the malware leveraging signed, built-in system applications to operate outside standard macOS security enforcement boundaries, suppress security alerts, and execute arbitrary code under the guise of a legitimate user update.

The attack begins with targeted social engineering attack, where the attacker poses as a recruiter, investor, or business partner and schedules a video meeting. Before the meeting takes place, the victim is instructed to run a fake video conferencing SDK update file — a compiled script that opens natively inside a built-in macOS application, with the malicious logic buried beneath thousands of empty lines to keep it out of immediate view. From there, a fake system update application launches a native-looking prompt to harvest the user’s login password, while the malware abuses a trusted system application — which holds full disk access permissions by default — to silently manipulate the central privacy database and inject a full automation allowance, bypassing OS security prompts entirely.

For persistence, a boot configuration is dropped into a system launch directory, loading a backdoor component at startup that reflectively loads a core beacon agent directly into memory and communicates outbound every 60 seconds. The final stage involves profiling the system, archiving critical data into compressed files, and exfiltrating targets such as cryptocurrency software wallets, browser extension storage, messaging session profiles, local SSH keys, and unencrypted notes — all uploaded to remote infrastructure over non-standard ports. While parts of the original campaign infrastructure have been partially mitigated, the core techniques — native binary execution, privacy database abuse, and persistence via system launch configurations — remain operationally relevant, as the threat actor can easily pivot to new domains, file names, and payloads, making historical indicators of compromise far less reliable as a defense.