Critical Langflow RCE Vulnerability CVE-2026-33017 Exploited Within Hours

Researchers report active exploitation of a critical RCE vulnerability (CVE-2026-33017) in Langflow that allows unauthenticated attackers to execute arbitrary Python code and steal sensitive API keys. The flaw was weaponized within 20 hours of disclosure, targeting exposed AI orchestration pipelines to harvest credentials and environment variables.

**If you're running Langflow, this is urgent. Update immediately to version 1.9.0.dev8 or later to patch CVE-2026-33017, and disable the AUTO_LOGIN=true default setting. Until you can update, restrict network access to the vulnerable endpoint, place Langflow behind a reverse proxy with authentication. Regardless if you patch or isolate, make sure to rotate all API keys and credentials the platform uses after isolating.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/critical-langflow-rce-vulnerability-cve-2026-33017-exploited-within-hours-q-n-c-a-6/gD2P6Ple2L

Attackers Exploit Critical Quest KACE SMA Authentication Bypass

Arctic Wolf reports attacks exploiting a critical authentication bypass (CVE-2025-32975) in Quest KACE SMA to gain administrative control and move laterally into domain controllers and backup systems.

**If you are using Quest KACE SMA, this is urgent. Make sure your Quest KACE SMA is off the public internet and behind a VPN immediately. Check your logs for new unknown admin accounts, as these are signs that attackers have already taken over your management system. Then patch ASAP.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/attackers-exploit-critical-quest-kace-sma-authentication-bypass-z-3-u-b-2/gD2P6Ple2L

Critical Microsoft SharePoint RCE Vulnerability CVE-2026-20963 Under Active Exploitation

Microsoft SharePoint is under active exploitation of a critical RCE vulnerability (CVE-2026-20963) that allows unauthenticated attackers to take over servers via a deserialization flaw.

**Your SharePoint servers are under attack. Ideally, isolate them from the internet and make them accessible only from internal networks. Them apply the January 2026 patch ASAP. If you are still using SharePoint 2013 or older, isolate them and upgrade to a newer version. Those old systems are permanently vulnerable.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/critical-microsoft-sharepoint-rce-vulnerability-cve-2026-20963-under-active-exploitation-l-r-5-d-h/gD2P6Ple2L

Google Reports Chrome Zero-Day Vulnerabilities Exploited in the Wild

Google reports two actively exploited zero-day vulnerabilities (CVE-2026-3909 and CVE-2026-3910). One is patched and for the other patch is coming in a future release.

**Another urgent patch for Chrome - Google is patching an actively exploited flaw in Chrome. DONT DELAY! Update all your Chrome and Chromium browsers (Edge, Opera, Brave, Vivaldi...). Updating the browser is easy, all your tabs reopen after the patch.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/google-reports-chrome-zero-day-vulnerabilities-exploited-in-the-wild-u-9-s-o-5/gD2P6Ple2L

CISA Warns of Active Exploitation in Ivanti Endpoint Manager Authentication Bypass

CISA added an Ivanti Endpoint Manager authentication bypass vulnerability (CVE-2026-1603) to its catalog of known exploited flaws after reports of active use by threat actors.

**If you use Ivanti Endpoint Manager, now patching is urgent. Update to 2024 SU5 immediately because attackers are already using this flaw to take over management servers.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/cisa-warns-of-active-exploitation-in-ivanti-endpoint-manager-authentication-bypass-u-5-u-l-k/gD2P6Ple2L

CISA Mandates Emergency Patching for SolarWinds Web Help Desk Vulnerabilities

CISA has shortened the patch deadline for an actively exploited critical SolarWinds Web Help Desk vulnerabilities, including CVE-2025-26399.

**When a federal agency shortens a patch deadline to just a few days, it means the product is actively and successfuly hacked. Treat your SolarWinds as an immediate priority, patch and ideally if possible isolate your help desk software from the public internet.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/cisa-mandates-emergency-patching-for-solarwinds-web-help-desk-vulnerabilities-q-x-y-6-r/gD2P6Ple2L

ShinyHunters Exploits Salesforce Misconfigurations to Target 100 High-Profile Organizations

ShinyHunters exploited misconfigured guest user permissions in Salesforce Experience Cloud sites using a modified Mandiant tool to allegedly steal data from approximately 100 high-profile organizations.

**If you use Salesforce Experience Cloud, audit your guest user permissions immediately and enforce least-privilege access: disable public API access for guest profiles and set all object sharing to "private." Review your site for exposure through the /s/sfsites/ aura endpoint and check with Salesforce support for updated detection rules to identify any past malicious scanning activity.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/shinyhunters-exploits-salesforce-misconfigurations-to-target-100-high-profile-organizations-m-c-k-w-l/gD2P6Ple2L

Cisco Patches Actively Exploited Vulnerabilities in Catalyst SD-WAN Manager

Cisco reports five vulnerabilities in Catalyst SD-WAN Manager, including two under active exploitation that allow attackers to bypass authentication and gain root privileges.

**Make sure your Catalyst SD-WAN Manager is isolated from the internet and accessible only from trusted networks. Then plan a quick patch cycle, because every isolation will be breached given enough time.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/cisco-patches-actively-exploited-vulnerabilities-in-catalyst-sd-wan-manager-s-h-n-o-c/gD2P6Ple2L

CISA Reports Active Exploitation of VMware Aria Operations

CISA reports active exploitation a VMware Aria Operations command injection vulnerability (CVE-2026-22719).

**If you are using VMware Aria Operations, this is urgent. Your systems are under attack, so patch ASAP. If you can't patch, run the official workaround script to disable the migration service and block the primary attack path.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/cisa-reports-active-exploitation-of-vmware-aria-operations-7-q-1-u-p/gD2P6Ple2L

Critical Privilege Escalation Vulnerability Reported in WordPress User Registration Plugin

A critical vulnerability (CVE-2026-1492) in the WordPress User Registration & Membership plugin allows unauthenticated attackers to create administrator accounts by exploiting a lack of server-side role validation. Active exploitation has already been detected.

**If you are using User Registration & Membership plugin, this is urgent. Update to version 5.1.3 immediately, because this is an actively exploited flaw. If you can't update, disable user registration.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/critical-privilege-escalation-vulnerability-reported-in-wordpress-user-registration-plugin-s-t-r-5-i/gD2P6Ple2L