⚠️Alerte CERT-FR⚠️

La vulnérabilité CVE-2026-42897 affecte Microsoft Exchange et permet une injection de code indirecte à distance (XSS) ainsi qu'un contournement de la politique de sécurité.

Elle est activement exploitée.

https://cert.ssi.gouv.fr/alerte/CERTFR-2026-ALE-005/

Microsoft describes this security flaw (CVE-2026-42897) as a spoofing vulnerability affecting up-to-date Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE) software. https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-of-exchange-zero-day-flaw-exploited-in-attacks/

Kritische Sicherheitslücke CVE-2026-42897 bedroht Microsoft Exchange Server 2016, 2019 und Subscription Edition. Angreifer können über OWA JavaScript-Code ausführen. #Microsoft #ITSec https://winfuture.de/news,158719.html?utm_source=Mastodon&utm_medium=ManualStatus&utm_campaign=SocialMedia

Exchange Server – CVE-2026-42897 : cette faille zero-day est déjà exploitée ! https://www.it-connect.fr/exchange-server-cve-2026-42897-cette-faille-zero-day-est-deja-exploitee/ #ActuCybersécurité #Cybersécurité #Vulnérabilité #Microsoft #Exchange

High critical cross-site scripting (CSS) vuln in Microsoft Exchange Server 2016 being used in the wild

https://www.cve.org/CVERecord?id=CVE-2026-42897

📰 Microsoft Exchange Zero-Day Under Active Attack, Mitigations Deployed Automatically

📢 Microsoft confirms a new Exchange Server zero-day (CVE-2026-42897) is actively exploited! The XSS flaw in OWA affects on-prem servers. Mitigations are being deployed automatically via the EM service. Check your systems! 🛡️ #Exchange #Zeroday

🌐 cyber[.]netsecops[.]io

🔗 https://cyber.netsecops.io/articles/microsoft-confirms-actively-exploited-zero-day-in-exchange-server-cve-2026-…

Hups, a new exchange Zero Day just dropped.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897

Mitigation available. No Patch.

Regarding CVE-2026-42945 in nginx - no modern (or even old) Linux distribution runs nginx without ASLR.

The way the PoC exploit works is they spawn nginx like this:

> exec setarch x86_64 -R /nginx-src/build/nginx -p /app -c /app/nginx.conf

Setarch -R disables ASLR. I've had a look through Github and I can't find any other software which actually does this for nginx either.

So, cool, sweet technical vuln - it's valid - but the RCE apocalypse ain't coming.

Une faille vieille de 18 ans dans Nginx, un PoC public, beaucoup de bruit… mais qui est vraiment concerné ?

https://cryptolab.re/posts/2026/nginx-rift-cve-2026-42945/

#nginx #linux #devops #sysadmin #cybersecurity

🚨 Nouvelle faille critique sur NGINX : CVE-2026-42945 (Z)

Une vulnérabilité dans ngx_http_rewrite_module peut provoquer un crash des workers NGINX, voire une exécution de code si l’ASLR est désactivé.

👉 https://security-tracker.debian.org/tracker/CVE-2026-42945

I don't wanna ruin your Friday, but nginx has a serious CVE with a rating of 9.2, and you should patch or mitigate it asap.

The CVE is an unauthenticated http request that can lead to a deterministic buffer overflow and remote code execution.

https://depthfirst.com/nginx-rift

#nginx #cve_2026_42945 #cve202642945

@beyondmachines1
Meanwhile, not completely off the hook people, you can check the vul updates via: https://security-tracker.debian.org/tracker/CVE-2026-42945

CVE-2026-42945 + CVE-2026-43284 = full compromise, hope you guys are patching ;)

#infosec #cybersecurity

CISA said all federal agencies have until Sunday to patch CVE-2026-20182, the latest Cisco SD-WAN bug exploited by nation-state actors.

It was discovered by Rapid7, which said it "behaves like a master key."

https://therecord.media/cisa-orders-all-federal-agencies-to-patch-cisco-sd-wan-bug

📰 Cisco Scrambles to Patch Critical 10.0 CVSS Zero-Day in SD-WAN Under Active Attack

🚨 CRITICAL ZERO-DAY: Cisco warns of active exploitation of a 10.0 CVSS auth bypass flaw (CVE-2026-20182) in Catalyst SD-WAN. Attackers can gain full admin access. CISA has issued a directive to patch immediately! ⚠️ #CyberSecurity #ZeroDay #Cisco

🌐 cyber[.]netsecops[.]io

🔗 https://cyber.netsecops.io/articles/cisco-warns-of-actively-exploited-zero-day-in-catalyst-sd-wan-cve-2026-201…

Local file exposure #vulnerability in linux kernels (CVE-2026-46333):

https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn

Apparently this issue was already identified in 2020 but wasn't fixed back then.

Mitigation:
- runtime:
sudo sysctl -w kernel.yama.ptrace_scope=2
- To make the mitigation persistent:
echo "kernel.yama.ptrace_scope=2" | sudo tee /etc/sysctl.d/01-harden-ptrace.conf

WARNING: This mitigation may break existing functionality. Test before deploying.

WARNING 2: While this mitigation does block the currently existing PoC, it may not prevent other attack vectors exploiting this vulnerability.

#infosec #cybersecurity #CVE_2026_46333

ssh-keysign-pwn is the fourth local-root Linux kernel disclosure in roughly two weeks. (But who's counting?)

AlmaLinux 9 and 10 are both vulnerable. AlmaLinux 8 is not exploitable with the current public PoCs, but is getting the patch as well.

Patched kernel versions are available for testing now: https://almalinux.org/blog/2026-05-15-ssh-keysign-pwn-cve-2026-46333/

#Debian has released kernel update that fixes the CVE-2026-46333 (ssh-keysign-pwn) vulnerability.

Debian stable (trixie) kernel update: https://lists.debian.org/debian-security-announce/2026/msg00185.html

Debian oldstable (bookworm) kernel update: https://lists.debian.org/debian-security-announce/2026/msg00186.html

Seven new stable kernels with patches for CVE-2026-46333

https://lwn.net/Articles/1073060/ #LWN #Linux #kernel

What a week… #Linux ssh-keysign-pwn (CVE-2026-46333):

Mitigation (breaks strace, gdb etc)

$ sudo sysctl -w kernel.yama.ptrace_scope=3
$ echo 'kernel.yama.ptrace_scope = 3' | sudo tee /etc/sysctl.d/99-ssh-keysign-pwn.conf

https://nvd.nist.gov/vuln/detail/CVE-2026-46333

If you are changing sysctl kernel.yama.ptrace_scope because of the ssh-keygen-pwn exploit https://almalinux.org/blog/2026-05-15-ssh-keysign-pwn-cve-2026-46333/ on fedora/rhel, be aware that your sysctl will be competing with /usr/lib/sysctl.d/10-default-yama-scope.conf so better change it in that file.

Fragnesia: una nuova vulnerabilità di escalation dei privilegi nel kernel Linux

Scoperta una nuova falla di sicurezza nel kernel Linux, chiamata Fragnesia (CVE-2026-46300), che consente a un utente locale non privilegiato di ottenere i privilegi di amministratore (root) su una distribuzione GNU/Linux.

@linux #UnoLinux #gnulinux #linux

#kernellinux #gnulinuxitalia #linuxitalia #fragnesia

#vulnerabilitalinux

https://www.laseroffice.it/blog/2026/05/14/fragnesia-una-nuova-vulnerabilita-di-escalation-dei-privilegi-nel-kernel-linux/

Oh and while we are here, Linux fans, please tell me you have updated your machine for "Fragnesia (CVE-2026-46300)", right… right!?

https://github.com/v12-security/pocs/tree/main/fragnesia

Linux distributions are alerting users to a newly disclosed kernel vulnerability that could allow local attackers to escalate privileges to root.

The flaw, dubbed Fragnesia and tracked as CVE-2026-46300, enables unprivileged users to obtain root access by overwriting critical system files.

Most Linux distributions are impacted, and vendors have begun rolling out security patches.

NOTICE: Shortcuts broke its x-callback-url implementation.

Seems to be part of the security fix for CVE-2026-28993 included in iOS 26.5/18.7.9, macOS 26.5/15.7.7/14.8.7. On these OSes, it’s no longer possible to get a result from a Shortcut call via `x-success` callback, you will *always* get an x-error.

In theory, per the CVE, Shortcuts should offer a permissions prompt, not just fail.

Apple Folks: FB22785648

CVE-2026-43898: Critical SandboxJS Escape (CVSS 10.0) Enables Full Host Takeover via npm
#CyberSecurity
https://securebulletin.com/cve-2026-43898-critical-sandboxjs-escape-cvss-10-0-enables-full-host-takeover-via-npm/

CVE-2026-26083: Critical Fortinet FortiSandbox Flaw Allows Unauthenticated Remote Code Execution — Patch Now
#CyberSecurity
https://securebulletin.com/cve-2026-26083-critical-fortinet-fortisandbox-flaw-allows-unauthenticated-remote-code-execution-patch-now/

Ransomware Risks: Why SMBs Need AI Security Now

Last week I was staring at my EnduraCoach dashboard, watching it yell at me for sneaking in an extra sprint session that my body wasn’t ready for. The AI caught the overtraining pattern across heart-rate, sleep, and power data and shut it down before I wrecked my Ironman build. That same evening the April ransomware numbers landed. SMBs got hammered again. And I thought: if only every founder had an always-on coach like this for their security stack.

Here’s the uncomfortable truth from April 2026: ransomware didn’t slow down—it accelerated. A new player called JanaWare quietly encrypted files for hundreds of Turkish home users and small businesses through targeted phishing campaigns. Low-dollar demands ($200–$400) but high volume. Attackers are learning that SMBs are softer targets and faster payers.

The broader picture is uglier.
Verizon’s 2025 DBIR (still the gold standard) showed 88% of ransomware breaches hit SMBs versus just 39% for enterprises. Unpatched vulnerabilities caused 29% of incidents; stolen credentials another 30%.
Sophos and Black Kite reports confirm SMBs in the $4M–$8M revenue band are now the sweet spot for attackers.

Most of us simply don’t have a 24/7 SOC or the headcount to patch, triage, and remediate at machine speed.

Why your current stack is losing the race

You already know the drill—I wrote about it two weeks ago. You’ve got EDR, a SIEM that spits 800 alerts a day, cloud config tools, backup solutions, and a compliance spreadsheet that lives in Google Docs. Your one-person IT “team” (probably you or your CTO wearing three hats) can’t keep up. Alerts become noise. Drift happens. A single phishing email or unpatched server becomes a full-blown encryption party.

Meanwhile, attackers have upgraded. Remember my Claude Mythos experiment in April? One air-gapped model autonomously built an exploit chain and phoned home. Offensive AI agents are now table stakes for ransomware groups. Defensive point tools can’t match that speed.

The fix we’re actually shipping at Espresso Labs

This is exactly why we built Espresso Labs: one unified AI-powered platform that replaces the dozen disconnected tools and the missing SOC. At the center is Barista—our continuous AI agent that doesn’t just alert. It acts.

Barista watches endpoints, cloud configs, identities, and backups 24/7. It triages, quarantines, remediates, and collects audit-ready evidence in real time. Human experts back it up when needed. For CMMC, SOC 2, or HIPAA it enforces controls continuously instead of chasing checkboxes. Founders tell us it cuts compliance cost and timeline by up to 80% while actually stopping breaches.

Think of it as EnduraCoach for your entire tech stack: always connected, always enforcing the plan, and stepping in before you even notice the problem.

Two real-world SMBs that would still be running if they had Barista

Example 1: A Dental Clinic (12 employees, California)
Late April 2026 the practice got hit via the fresh cPanel vulnerability (CVE-2026-41940). One unpatched server, no continuous scanning, and “Sorry” ransomware encrypted patient records and scheduling systems in under 40 minutes.
Downtime cost them $18k in lost appointments plus a $45k ransom negotiation.
They paid.
Data was partially recovered.

With Espresso Labs this never happens.
Barista’s agents would have auto-detected the cPanel drift during its nightly vuln sweep, patched it automatically, and isolated the server the moment anomalous encryption behavior started.
Immutable backups would have let them restore in minutes with zero ransom paid. The clinic keeps seeing patients instead of calling their MSP in panic.

Example 2: A Marketing Agency (8 employees, remote-first)
A senior designer clicked a sophisticated phishing link dressed as a client creative brief.
Stolen credentials gave attackers initial access. Within hours they deployed ransomware across the shared drive and exfiltrated client campaigns. The agency lost three days of billable work and faced a $32k demand.
Classic stolen-credential playbook—exactly the 30% bucket from the Verizon report.

Barista would have caught and blocked the malware download, and rolled back from the last clean backup automatically. The designer gets a gentle “hey, that link looked sketchy—let’s run a quick training module.” No encryption, no exfil, no headlines.

These aren’t hypotheticals.
These patterns played out in April for dozens of SMBs just like yours.

Your 5-step practitioner playbook (do this this week)

1. Stop buying another tool. Audit what you actually have running and where data lives. Most SMBs discover they’re paying for 70% overlap.
2. Demand continuous enforcement. Point-in-time scans are dead. You need agents that watch 24/7 and fix drift instantly.
3. Test autonomous remediation on one workload. Spin up a low-risk environment (dev server, staging) and let an agent like Barista practice quarantining and restoring.
4. Layer in phishing simulation + training that actually sticks. Barista does this natively and measures real behavior change.
5. Get your compliance evidence automated. If you’re chasing CMMC Level 2 or SOC 2 Type 2 this year, manual evidence collection is the fastest way to fail an audit.

Your startup isn’t a marathon—it’s brutal sprints.
Security in 2026 is the same.
One missed sprint and the whole race ends. Continuous AI agents turn defense into a sprint you can actually win.

The tech exists today. We’re running it for our own early customers and it feels exactly like the relief EnduraCoach gives me mid-training: someone (or something) smarter has your back.

If your April numbers looked anything like the industry’s, drop a comment: what’s your biggest security headache right now?
Or head to espressolabs.com and book a 15-minute Barista demo.
No slide deck, no hard sell—just a live look at what continuous actually feels like.

Stay safe out there.
Train hard, ship secure, and let the AI do the heavy lifting.

Rate this: