Threat Alerts

ConnectWise disclosed a critical vulnerability in ScreenConnect (CVE-2026-3564, CVSS 9.0) that allows attackers to hijack sessions through cryptographic material extraction. The flaw affects server-level machine key protection, enabling unauthorized access and privilege escalation when exploited.

Earlier ScreenConnect versions stored unique machine keys in server configuration files, creating conditions where threat actors could extract this cryptographic material for session authentication bypass. The vulnerability requires prior server access or compromise to obtain the necessary machine keys, making it a secondary attack vector rather than direct remote exploitation. This follows previous ScreenConnect compromises where nation-state actors and ransomware groups targeted MSP infrastructure to access downstream client environments at scale.

The attack surface becomes particularly concerning given ScreenConnect’s widespread deployment across MSP environments for remote endpoint management. Historical incidents demonstrate that compromised ScreenConnect servers serve as pivot points into customer networks, with documented cases of ransomware deployment and espionage campaigns. Version 26.1 addresses the vulnerability through enhanced machine key encryption and storage protections, with cloud instances automatically updated while on-premises installations require immediate manual patching.

Oracle released an emergency patch for CVE-2026-21992 (CVSS 9.8), a critical vulnerability in its database server software that enables remote code execution without authentication. The flaw affects Oracle Database versions 19c, 21c, and 23ai, threatening thousands of organizations worldwide that rely on this widely deployed enterprise platform.

The vulnerability exists in Oracle’s network listener component, which handles incoming client connections to the database. Attackers can exploit this flaw by sending malformed connection descriptors to the listener service running on TCP port 1521, triggering a buffer overflow condition that leads to arbitrary code execution with database privileges. The attack requires no user interaction or valid credentials, allowing complete system compromise including data access, record modification, and lateral network movement.

This emergency patch breaks Oracle’s typical quarterly update cycle, indicating imminent threat potential. The vulnerability stems from improper input validation in connection descriptor processing, a classic attack vector that has surprised analysts given the mature nature of the product. With Oracle holding approximately 40% of the global database market share, this flaw represents an extraordinarily high-value target for various threat actors. The persistence of such critical vulnerabilities in core components demonstrates the ongoing challenge of securing legacy code accumulated over decades of development.

CVE-2026-20963 (CVSS 8.8), a remote code execution (RCE) vulnerability in Microsoft SharePoint, has been added to the Known Exploited Vulnerabilities (KEV) catalog following confirmed in-the-wild exploitation. SharePoint servers frequently host high-value organizational data and are commonly integrated with broader enterprise environments, making them a high-value target for threat actors. Successful exploitation may enable unauthorized access, data exfiltration, service disruption, and facilitate lateral movement within affected networks.
The vulnerability stems from improper handling of deserialization of untrusted data within SharePoint. An unauthenticated attacker can deliver a crafted payload to a vulnerable server, triggering the deserialization process and achieving remote code execution without user interaction. This allows arbitrary code execution on the target system with low attack complexity. While initial vendor assessment indicated a lower likelihood of exploitation, this has since changed with confirmed in-the-wild activity. Attribution remains unclear; however, vulnerabilities of this type are commonly leveraged by initial access brokers and ransomware operators to establish initial access in enterprise environments.

A new security advisory has been released addressing multiple critical vulnerabilities in a widely used CI/CD automation server and one of its plugins. The most severe vulnerability, CVE-2026-33001(CVSS Score:8.8), stems from how the server handles symbolic links during archive extraction. Attackers who have permissions to configure build items or control agent processes can craft malicious archives that write files to arbitrary locations on the filesystem, constrained only by the OS-level permissions of the running service. By escaping the intended directory, a threat actor can deploy malicious scripts or unapproved tools, ultimately achieving full remote code execution once the service restarts or processes the new files.
A second high-severity flaw, CVE-2026-33002(CVSS Score:7.5), involves a DNS rebinding attack against the WebSocket CLI endpoint, where origin validation was relying on easily manipulated HTTP request headers. An attacker can trick a victim into visiting a malicious site that resolves to the server’s internal IP, establishing an unauthorized WebSocket connection and potentially executing administrative commands — escalating to full code execution via built-in scripting capabilities. Beyond these two critical flaws, two medium-severity vulnerabilities affect a third-party plugin, where API keys are stored unencrypted in job configuration files and remain unmasked in the interface, allowing any user with sufficient read or filesystem access to harvest sensitive credentials and pivot into external environments.

A critical vulnerability identified as CVE-2026-23813 (CVSS 9.8) has been disclosed in a widely deployed cloud-based network operating system used on switch infrastructure across enterprise campuses and data centers. Due to the extensive adoption of these platforms, the flaw presents significant risk, as exploitation of network management components can provide attackers with broad visibility and control over internal environments. Compromise at the network layer is particularly impactful, enabling lateral movement, traffic manipulation, and access to sensitive infrastructure components across the organization.

The vulnerability stems from improper authentication handling within the switch management web interface, allowing remote, unauthenticated attackers to gain full administrative access without requiring prior privileges or complex exploitation steps. Successful exploitation enables modification of administrator credentials and complete control over the affected device through simple network interaction. Although no active exploitation or public proof-of-concept has been reported at the time of disclosure, the low attack complexity and critical severity increase the likelihood of rapid weaponization. This issue aligns with a broader trend of security weaknesses in enterprise infrastructure products, underscoring the need for immediate patching, strict access controls, and continuous monitoring to prevent large-scale network compromise.

A newly identified VoidStealer leverages a novel technique to bypass Chrome’s Application-Bound Encryption (ABE) and extract the master key used to decrypt sensitive browser data. Unlike previous methods, this approach is stealthier and operates without requiring privilege escalation or code injection, making it the first infostealer of its kind observed in the wild to use such a mechanism.
ABE was introduced in mid-2024 as a protection layer for cookies and other sensitive browser data, ensuring the master key remains encrypted on disk and inaccessible through normal user-level access. Decrypting it requires a system-level service to validate the requesting process. While multiple malware families have previously bypassed this protection, and Google has since rolled out fixes, new variants have continued to find alternative ways around these defenses.
The technique works by targeting a brief window during browser startup when the master key is momentarily present in memory in plaintext. The malware launches a hidden, suspended browser process, attaches to it as a debugger, and waits for the relevant browser library to load. It then scans for a specific instruction to use as a hardware breakpoint, sets it across browser threads, and waits for it to trigger during startup — at which point the master key is read directly from memory. The technique itself is not entirely new — it appears to have been adapted from a publicly available open-source toolset demonstrating Chrome’s encryption weaknesses, which has been accessible for over a year, suggesting that the gap between proof-of-concept research and active malware exploitation continues to narrow.