Blog

Maximum-severity UniFi OS vulnerabilities enable full network takeover

Field Effect Security Intelligence Team — Fri, 22 May 2026 18:44:58 GMT

At a glance: Ubiquiti has released patches for three maximum-severity UniFi Operating System vulnerabilities that allow unauthenticated remote access to network management infrastructure. The flaws enable unauthorized changes, file access, and command execution, creating a direct path to full system compromise. Organizations running exposed or poorly segmented UniFi environments face elevated risk due to the scale of internet‑accessible deployments and the central role these systems play in network control.

Cisco Secure Workload API flaw creates cross-tenant exposure risk

Field Effect Security Intelligence Team — Thu, 21 May 2026 20:53:37 GMT

At a glance: Cisco disclosed a critical vulnerability in Cisco Secure Workload that allows an unauthenticated threat actor to gain Site Admin privileges through crafted API requests, with a maximum CVSS score. The flaw affects both SaaS and on‑premises deployments and enables access to sensitive data and configuration changes across tenant boundaries, creating exposure in shared environments. Remediation requires upgrading to fixed versions, as no workarounds are available and the vulnerability directly impacts the platform’s security control plane.

Leaked Shai-Hulud malware fuels wave of npm credential theft campaigns

Field Effect Security Intelligence Team — Tue, 19 May 2026 20:03:08 GMT

At a glance: Threat actors are escalating the Shai‑Hulud campaign by combining leaked malware code with compromised npm packages, enabling rapid, large‑scale credential theft across developer environments. The shift from typosquatted packages to trusted package compromise allows malicious code to propagate through normal dependency updates, increasing exposure across CI/CD pipelines and cloud infrastructure. This activity highlights a growing supply chain risk where trusted software components can become a primary vector for widespread credential compromise and follow‑on attacks.

Microsoft Exchange Server flaw actively exploited, no patch available

Field Effect Security Intelligence Team — Fri, 15 May 2026 16:18:35 GMT

At a glance: Active exploitation of a high-severity vulnerability in on-premises Microsoft Exchange Server exposes organizations using Outlook Web Access to session-level compromise through a crafted email. There is no patch currently available, and organizations rely on Microsoft’s mitigations and validation of coverage across affected systems. Organizations relying on webmail access need to act now to confirm mitigation is in place and reduce exposure while a permanent fix is developed.

Apache HTTP/2 flaw exposes unpatched servers to possible code execution

Field Effect Security Intelligence Team — Fri, 15 May 2026 12:50:57 GMT

At a glance: Apache HTTP Server vulnerability CVE-2026-23918 exposes unpatched systems to denial of service and, in some configurations, remote code execution. The issue affects Apache HTTP Server 2.4.66 when HTTP/2 traffic is accepted, a condition common in standard internet-facing deployments. Organizations benefit from confirming HTTP/2 usage and prioritizing an update to version 2.4.67 to remove exposure at the web tier.

Microsoft Office update fixes Word RCE triggered via Outlook emails

Field Effect Security Intelligence Team — Thu, 14 May 2026 12:41:56 GMT

At a glance: Microsoft’s May 12, 2026 Patch Tuesday updates address a Microsoft Word remote code execution vulnerability, CVE-2026-40361, that can be triggered through Outlook when rendering a malicious email. The flaw allows code execution on the affected endpoint without user interaction, creating risk of data access, credential theft, and post-compromise activity under the user’s privileges. Microsoft Office updates remediate the vulnerability, and systems without the updated Office components remain exposed even if Windows is fully patched.

Critical Exim flaw enables remote code execution on GnuTLS builds

Field Effect Security Intelligence Team — Tue, 12 May 2026 20:01:49 GMT

At a glance: On May 12, 2026, Exim released a security update to fix a critical vulnerability that can allow unauthenticated remote compromise of affected email servers. The issue affects Exim 4.97-4.99.2 on Debian, Ubuntu, and some Debian‑derived distributions where Exim is built with GnuTLS. The only effective resolution is upgrading to Exim 4.99.3 or applying distribution-provided security patches.

Session hijacking: What it is and how to prevent it

Sebastien Peterson — Tue, 12 May 2026 18:15:09 GMT

Most people don't think twice after they log into a website. They enter a password, click "Sign In," and move on with their day. But behind the scenes, something more fragile is happening, and threat actors know it.

Canvas login portal incident led to widespread disruption

Field Effect Security Intelligence Team — Tue, 12 May 2026 16:54:38 GMT

At a glance: The Canvas incident escalated into a vendor-side outage during critical academic periods, disrupting exams, coursework access, and institutional operations across thousands of schools globally. While the technical breach and login-portal defacements occurred entirely within Instructure’s environment, the visibility and timing amplified operational disruption and uncertainty for educators and students. Instructure stated that the data was returned and customers would not be separately extorted, however institutions should expect downstream risks such as targeted phishing.

Dirty Frag Linux kernel flaw disclosed, active exploitation observed

Field Effect Security Intelligence Team — Fri, 08 May 2026 18:36:14 GMT

At a glance: Dirty Frag is a Linux kernel vulnerability that allows a threat actor with limited access to escalate privileges to full root by modifying trusted system files only in memory, bypassing disk‑based security controls. Microsoft observed Dirty Frag being used in post‑compromise activity, increasing the likelihood that an initial foothold on a Linux system can quickly lead to complete system takeover across servers, cloud workloads, and containers.

OPNsense addresses code execution issue with POC available

Field Effect Security Intelligence Team — Thu, 07 May 2026 20:55:21 GMT

At a glance: OPNsense has released fixes for two vulnerabilities that affect firewall management security, both disclosed with publicly available POCs. One flaw allows repeated login attempts without triggering lockouts, increasing exposure to credential‑guessing attacks, while a second, higher‑severity issue can allow full firewall takeover if an account with XMLRPC privileges is compromised. With exploitability demonstrated by the vendor, patching is a priority for organizations relying on OPNsense to protect network boundaries.

Palo Alto firewall zero-day allows unauthenticated root access

Field Effect Security Intelligence Team — Wed, 06 May 2026 15:41:07 GMT

At a glance: Palo Alto Networks has disclosed an actively exploited unpatched vulnerability (zero-day) that allows an external threat actor to take full control of affected firewalls without authentication. Because the flaw targets a core perimeter security control, successful exploitation can undermine network trust, enable silent monitoring of traffic, and expose internal systems to wider compromise. With active exploitation confirmed, a public exploit available, and vendor patches not yet available, organizations with affected firewalls face immediate risk until fixes and mitigations are applied.

Instructure data breach exposes education sector to extortion

Field Effect Security Intelligence Team — Wed, 06 May 2026 13:04:16 GMT

At a glance: Instructure has disclosed a cybersecurity incident affecting users at selected educational institutions after extortion group ShinyHunters claimed responsibility and published sample data online. Exposed information reportedly includes names, email addresses, student identification numbers, and user messages. While there is no evidence that passwords or financial data were compromised, the exposure of identity and communication data increases the risk of phishing, impersonation, and social engineering attacks targeting schools, staff, students, and third-party partners.

Critical authentication bypass in Progress MOVEit Automation

Field Effect Security Intelligence Team — Tue, 05 May 2026 13:06:36 GMT

At a glance: Progress Software has disclosed a critical authentication bypass vulnerability in MOVEit Automation that enables unauthenticated, low-complexity remote access. Because the platform is widely used to transfer sensitive business data and is often internet-facing, the flaw creates a direct risk of unauthorized access and downstream compromise. While no active exploitation has been confirmed, similarities to past MOVEit attacks and the presence of legacy and end-of-life deployments increase the potential operational impact.

Field Effect announces 2026 participation in MITRE ATT&CK® Evaluations

Field Effect — Mon, 04 May 2026 14:27:11 GMT

Second consecutive participation reinforces commitment to transparency and continuous improvement

Field Effect, a global cybersecurity company specializing in AI security and managed detection and response (MDR), today announced its participation in the 2026 MITRE ATT&CK® Evaluations.

Copy Fail: Linux kernel privilege escalation flaw publicly disclosed

Field Effect Security Intelligence Team — Thu, 30 Apr 2026 20:09:38 GMT

At a glance: Copy Fail (CVE-2026-31431), a Linux kernel logic flaw, allows reliable privilege escalation to root on most systems built since 2017. While not directly exploitable from the internet, the vulnerability turns routine low-privilege access (common in containers, CI/CD pipelines, and shared servers) into full host compromise while bypassing file-integrity monitoring and disk-based detection. In modern Linux environments where untrusted code execution is expected, this significantly increases the risk of lateral movement, container escape, and cross-tenant impact until systems are patched and rebooted.

cPanel and WHM authentication bypass flaw publicly disclosed

Field Effect Security Intelligence Team — Wed, 29 Apr 2026 20:36:10 GMT

At a glance: Researchers disclosed a critical authentication bypass vulnerability in cPanel and WebHost Manager (WHM), widely used web hosting control panels. The flaw allows unauthenticated remote attackers to bypass login and gain access to internet-exposed management interfaces, potentially enabling full control over hosting environments and downstream customer websites. While reports of exploitation have surfaced, they remain unconfirmed by the vendor.

Vimeo data exposure linked to third‑party analytics platform breach

Field Effect Security Intelligence Team — Wed, 29 Apr 2026 12:42:29 GMT

At a glance: Vimeo recently disclosed a data exposure linked to a compromised third-party analytics provider, Anodot, which had access to its cloud data environments. The extortion group, ShinyHunters, claimed responsibility, threatening to release stolen data unless a ransom was paid. The incident underscores the risk of attackers exploiting trusted SaaS integrations to access downstream systems and reinforces the need to tightly manage third-party access to sensitive data.

FIRESTARTER backdoor persists on Cisco firewalls after patching

Field Effect Security Intelligence Team — Tue, 28 Apr 2026 12:20:15 GMT

At a glance: In April 2026, U.S. and UK cyber authorities disclosed a previously unknown persistence mechanism, tracked as FIRESTARTER, discovered on Cisco firewall infrastructure protecting a U.S. federal civilian agency. The mechanism can survive security patches released in September 2025, allowing continued access to affected devices unless remediation extends beyond routine patching. The activity underscores the business risk of perimeter device compromise and reinforces that patching alone does not always equate to full remediation.

IT helpdesk impersonation campaign uses Teams to gain initial access

Field Effect Security Intelligence Team — Mon, 27 Apr 2026 13:15:36 GMT

At a glance: Threat actors tracked as UNC6692 are impersonating IT helpdesk staff over Microsoft Teams to gain initial access through social engineering rather than technical exploitation. The activity combines targeted email-bombing with external Teams messages that prompt users to install fake fixes, allowing attackers to bypass traditional email and perimeter security controls and establish a foothold inside corporate environments.

Field Effect detects AMOS Stealer delivered via Cursor AI agent session

Daniel Albrecht — Fri, 24 Apr 2026 19:40:36 GMT

Key findings

On April 23, 2026, Field Effect MDR detected and responded to an incident involving the execution of malicious and heavily obfuscated AppleScript commands through a Cursor agent session running Claude Code, identified as AMOS Stealer malware.

Bitwarden CLI compromised as part of supply-chain campaign

Field Effect Security Intelligence Team — Fri, 24 Apr 2026 13:10:49 GMT

At a glance: A malicious release of the Bitwarden CLI was published to npm in April 2026 as part of an expanding software supply chain campaign linked to earlier Checkmarx developer tooling compromises. The tampered package executed automatically during installation and focused on stealing credentials from developer and CI/CD environments, with potential downstream impact to source repositories, automation pipelines, and cloud infrastructure.

Microsoft issued emergency patch for ASP.NET Core Data Protection flaw

Field Effect Security Intelligence Team — Thu, 23 Apr 2026 11:53:20 GMT

At a glance: Microsoft issued an out-of-band update to address CVE-2026-40372, a high-severity elevation of privilege vulnerability introduced in the April 14, 2026 .NET 10.0.6 Patch Tuesday release. The flaw affects ASP.NET Core applications that use the Data Protection component to secure authentication state and can allow forged authentication artifacts to persist beyond patching. Organizations running affected configurations benefit from updating, rebuilding impacted applications, and invalidating credentials issued during the vulnerable period to fully restore cryptographic trust.

Progress patches MOVEit WAF and LoadMaster vulnerabilities

Field Effect Security Intelligence Team — Wed, 22 Apr 2026 12:14:00 GMT

At a glance: Progress Software released patches for critical vulnerabilities affecting MOVEit Web Application Firewall and Kemp LoadMaster, widely used at the enterprise and managed service provider perimeter. The issues could allow authenticated threat actors to execute commands or bypass inspection controls under certain conditions, making timely remediation important for reducing risk.

18 Seconds: How Field Effect MDR Contains and Reports Threats in Record-Time

Mallory Tretter — Tue, 21 Apr 2026 16:02:00 GMT

We’ve entered the era of AI-accelerated attackers and agentic attacks.
Outpacing AI means detecting and disrupting threats before they can execute and spread.