Critical RCE in Everest Forms Pro Exploited to Compromise WordPress Sites

Threat actors are exploiting a critical RCE vulnerability in Everest Forms Pro (CVE-2026-3300) to take over WordPress sites and separate campaigns use Stripe and Google Tag Manager to exfiltrate stolen credit card data.

**If you use the Everest Forms Pro WordPress plugin, update it to version 1.9.13 or later ASAP, since attackers are actively exploiting a critical flaw to take over sites. After updating, check your WordPress user list for any unknown accounts and review your server logs for suspicious activity (such as connections from IPs 202.56.2.126 or 209.146.60.26).**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/critical-rce-in-everest-forms-pro-exploited-to-compromise-wordpress-sites-2-6-y-d-9/gD2P6Ple2L

CISA Reports Active Exploitation of Critical Mirasvit Magento Extension Flaw

CISA reports exploitation of a critical PHP object injection vulnerability (CVE-2026-45247) in the Mirasvit Full Page Cache Warmer. The flaw allows unauthenticated attackers to achieve remote code execution by sending a malicious cookie to vulnerable e-commerce servers.

**If you use the Mirasvit Full Page Cache Warmer on Magento, update to version 1.11.12 immediately. After updating, check your web logs for 'CacheWarmer' cookies containing base64 strings starting with Tz, Qz, or YT to see if attackers have already targeted your store.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/cisa-reports-active-exploitation-of-critical-mirasvit-magento-extension-flaw-4-t-7-u-o/gD2P6Ple2L

CISA Warns of Active Exploitation of Linux Container Escape Flaw

CISA has added a Linux kernel container escape vulnerability (CVE-2022-0492) to its list of known exploited flaws. This flaw allow attackers to bypass security isolations and gain root-level privileges on host systems.

**Update your Linux kernel to a patched version that restricts release_agent writes, and where possible move to cgroups v2 which removes the vulnerable feature entirely. As an extra layer, enable security profiles like AppArmor, SELinux, or Seccomp, and don't run containers with the --privileged flag or unnecessary admin capabilities.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/cisa-warns-of-active-exploitation-of-linux-container-escape-flaw-e-f-a-4-k/gD2P6Ple2L

Critical Authentication Bypass in Burst Statistics Plugin Exploited for WordPress Takeovers

Attackers are exploiting a critical authentication bypass in the Burst Statistics WordPress plugin (CVE-2026-8181) to gain full administrative control and create unauthorized accounts.

**If you use the Burst Statistics plugin for WordPress, update it to version 3.4.2 or 3.4.3 immediately. Attackers are actively taking over sites running vulnerable versions (3.4.0 to 3.4.1.1). After updating, check your WordPress user list for any unauthorized admin accounts created on or after May 13, 2026, and remove them.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/critical-authentication-bypass-in-burst-statistics-plugin-exploited-for-wordpress-takeovers-z-p-m-p-4/gD2P6Ple2L

CISA Warns of Active Exploitation Targeting Oracle WebLogic Server Vulnerabilities

Oracle WebLogic Server versions 12.2.1.4.0 and 14.1.1.0.0 are being actively attacked via CVE-2024-21182, a high-severity flaw allowing unauthenticated data access via T3 and IIOP protocols. CISA mandated federal agencies patch the vulnerability by June 4, 2026, after evidence of active exploitation.

**Apply Oracle's July 2024 Critical Patch Update (and all subsequent patches) to your WebLogic Server installations right away, as attackers are actively exploiting this flaw. In the meantime, restrict or disable access to the T3 and IIOP protocols. If the server does not serve public content for external visitors, make sure WebLogic servers are only reachable from trusted internal networks, not the open internet.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/cisa-warns-of-active-exploitation-targeting-oracle-weblogic-server-vulnerabilities-9-h-h-w-r/gD2P6Ple2L

Palo Alto Networks PAN-OS Authentication Bypass Exploited in the Wild

Palo Alto Networks patched a high-severity authentication bypass vulnerability (CVE-2026-0257) in PAN-OS and Prisma Access that is being exploited to gain unauthorized VPN access. The flaw allows attackers to forge session cookies when encryption certificates are shared with HTTPS services.

**If you use Palo Alto Networks PAN-OS or Prisma Access with GlobalProtect, ASAP, your devices are already under attack. Review the advisory and upgrade to the respective patched version (12.1.7, 11.2.12, 11.1.15, or 10.2.18-h6). If you can't patch right away, disable the authentication override feature or generate a separate certificate just for cookie encryption that isn't shared with the HTTPS service.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/palo-alto-networks-pan-os-authentication-bypass-exploited-in-the-wild-f-1-o-b-b/gD2P6Ple2L

KnowledgeDeliver Zero-Day Flaw Exploited to Deploy Web Shells

KnowledgeDeliver LMS installations are being targeted by a zero-day deserialization vulnerability (CVE-2026-5426) caused by hardcoded machine keys, allowing attackers to deploy web shells and Cobalt Strike backdoors.

**If you run Digital Knowledge's KnowledgeDeliver LMS, immediately replace the default ASP.NET machine keys in your web.config with unique, cryptographically strong ones to block these attacks. If possible, restrict portal access to trusted IP ranges, and monitor Windows Application logs for Event ID 1316 (ViewState verification failures).**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/knowledgedeliver-zero-day-flaw-exploited-to-deploy-web-shells-5-x-f-c-n/gD2P6Ple2L

Ghost CMS SQL Injection Flaw Exploited in Global ClickFix Malware Campaign

A critical SQL injection vulnerability in Ghost CMS (CVE-2026-26980) is being exploited to steal administrative keys and inject malicious 'ClickFix' scripts into over 700 websites. The campaign targets high-profile domains to deliver malware by tricking visitors into running malicious commands in their system terminal.

**If you run a Ghost CMS site, this is urgent. Check your version and update to version 6.19.1 or later. Then rotate all API keys and staff passwords since any credentials from before the patch may already be compromised. Also review your published articles for unauthorized scripts and check API logs for signs of suspicious activity.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/ghost-cms-sql-injection-flaw-exploited-in-global-clickfix-malware-campaign-d-m-c-f-3/gD2P6Ple2L

LiteSpeed cPanel Plugin Zero-Day Exploited for Root Access

LiteSpeed Technologies patched a critical, actively exploited vulnerability (CVE-2026-48172, CVSS 10.0) in its cPanel plugin that allows any user to run scripts with root privileges. Attackers are currently using this flaw to gain full control over web hosting servers.

**If you use LiteSpeed on cPanel immediately upgrade to LiteSpeed WHM Plugin version 5.3.1.0 (which includes the patched cPanel plugin v2.4.7) or temporarily uninstall the user-end plugin to prevent a complete server takeover. Run the grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null command, block suspicious IPs, and audit your system. If you can't update right away, uninstall the user-end plugin to prevent a total server takeover.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/litespeed-cpanel-plugin-zero-day-exploited-for-root-access-6-l-t-k-n/gD2P6Ple2L

RondoDox Botnet Hijacks Over One Million ASUS Routers via 2018 Vulnerability

The RondoDox botnet is exploiting a critical 2018 vulnerability (CVE-2018-5999) in over one million ASUS routers to gain unauthorized control and launch DDoS attacks.

**If you own an ASUS router, first make sure it is isolated from the internet and only accessible from trusted networks, with the management interface never exposed to the public internet. Then check if your model still receives official firmware updates and apply the latest version - if it's end-of-life, replace it with a supported model, and disable the `infosvr` service.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/rondodox-botnet-hijacks-over-one-million-asus-routers-via-2018-vulnerability-0-0-l-l-u/gD2P6Ple2L