FILTERING BY: CLEAR FILTER

Linux Kernel: DirtyFrag and DirtyClone Local Privilege Escalation Vulnerabilities

The Linux kernel is affected by a series of critical local privilege escalation (LPE) vulnerabilities known as the DirtyFrag family, specifically DirtyClone (CVE-2026-43503) and CVE-2026-53130. DirtyClone leverages cloned network packets to corrupt file-backed memory, enabling attackers to rewrite executable code in memory to achieve root privileges without leaving traces on the physical disk. DirtyFrag involves memory corruption within the rxrpc (Remote XDR RPC) and ESP (Encapsulating Security Payload) subsystems. These vulnerabilities allow unprivileged local users to bypass kernel security boundaries for full system compromise. Remediation requires immediate application of patches provided by Linux kernel maintainers.

Cisco Catalyst SD-WAN Manager Path Traversal Vulnerability CVE-2026-20262

CVE-2026-20262 is a path traversal vulnerability in the Web UI of Cisco Catalyst SD-WAN Manager that allows authenticated remote attackers to create or overwrite arbitrary files on the underlying Linux operating system. By utilizing directory traversal sequences (e.g., ../) in HTTP requests, attackers can achieve root privilege escalation, enabling full control over the SD-WAN orchestration layer. This vulnerability is currently weaponized and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. Successful exploitation facilitates network-wide compromise, traffic redirection, and persistent backdoor installation via the modification of system binaries or startup scripts.

GreatXML Zero-Day Bypasses Microsoft BitLocker via Windows Defender Offline Scan Artifacts

The GreatXML zero-day vulnerability, discovered by researcher Chaotic Eclipse, enables a practical bypass of Microsoft BitLocker drive encryption. The exploit leverages residual artifacts and side effects left by the Windows Defender Offline Scan process. By gaining physical access and utilizing the Windows Recovery Environment (WinRE), an attacker can manipulate these artifacts to achieve SYSTEM-level privilege escalation. This vulnerability is highly critical as it requires no user credentials and targets any Windows machine that has previously executed an offline scan. Currently, there is no available patch to mitigate this specific exploitation vector.

Google Patches Actively Exploited Zero-Day in Android Framework CVE-2025-48595

Google has remediated CVE-2025-48595, a high-severity integer overflow vulnerability within the Android Framework currently leveraged in limited, targeted attacks. The flaw enables local privilege escalation (LPE) by allowing an attacker—who has already achieved initial code execution via a malicious application or browser exploit—to break the Android security sandbox and gain full system or root-level access. With a CVSS score of 8.4, the exploit requires no user interaction for the escalation phase. Due to its active exploitation, CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agency remediation by June 5, 2026.

Critical Root Privilege Escalation in Cisco Unified Communications Manager CVE-2026-20230

A critical Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2026-20230, exists in Cisco Unified Communications Manager (CUCM). An unauthenticated remote attacker can leverage a specific URI endpoint to facilitate an SSRF attack, bypassing filesystem protections to achieve arbitrary file writes on the underlying system. By injecting malicious data into critical system files—such as configuration files, cron jobs, or system binaries—the attacker can execute a secondary stage of privilege escalation to gain full root-level access. This vulnerability represents a total loss of confidentiality, integrity, and availability, necessitating immediate remediation via Cisco-provided software patches to prevent complete system compromise.

Zapocalypse: Multi-Stage Account Takeover Exploit in Zapier

The "Zapocalypse" exploit is a critical privilege escalation chain targeting Zapier’s "Code by Zapier" Python execution feature. Threat actors leverage the intended functionality of the Python sandboxed environment to abuse platform primitives, allowing them to escape the restricted execution context and achieve full Account Takeover (ATO). This logic-based exploit enables attackers to hijack user sessions and subsequently compromise every third-party SaaS application integrated via API into the affected Zapier account. Zapier has since deployed a patch to remediate the vulnerability.

Fragnesia: Linux Kernel Local Privilege Escalation via ESP-in-TCP

A sophisticated Local Privilege Escalation (LPE) vulnerability, dubbed "Fragnesia," has been identified within the Linux kernel networking subsystem. By exploiting a logic error in the reassembly of ESP-in-TCP encapsulated traffic, an unprivileged user can induce page-cache corruption to achieve full root execution, effectively bypassing most modern hardware-enforced security mitigations.

Full-Chain Exploitation of Pterodactyl: From Directory Traversal to Kernel-Level Compromise

This intelligence report details a sophisticated, multi-stage attack chain targeting the Pterodactyl game-server management panel, transitioning from unauthenticated web exploitation to full kernel-level compromise. The research demonstrates how an attacker can chain disparate vulnerabilities across the application, operating system, and Linux kernel to achieve total host takeover.


LINK COPIED TO CLIPBOARD