Threat Alerts
Your place for the latest CyberProof cyber threat intelligence alerts and updates
Speak with an ExpertOracle E-Business Suite CVE-2026-46817 Actively Exploited
A critical vulnerability in Oracle E-Business Suite (EBS) is being actively exploited in the wild, increasing the risk to organizations relying on Oracle Payments for business-critical operations. Tracked as CVE-2026-46817 (CVSS 9.8), the flaw affects the Oracle Payments File Transmission component and allows unauthenticated attackers with network access over HTTP to fully compromise vulnerable systems. Active exploitation has been observed despite the absence of a public proof-of-concept, suggesting the use of privately developed exploit tooling.
The vulnerability stems from missing authentication and improper privilege management within the File Transmission component. Successful exploitation enables remote attackers to compromise the confidentiality, integrity, and availability of affected Oracle Payments instances, potentially resulting in complete system takeover. Recent observations indicate attackers issuing crafted HTTP POST requests to the /OA_HTML/ibytransmit endpoint with malicious XML payloads, including attempts to access sensitive local files, although the full exploitation chain has not been publicly disclosed. Previous Oracle E-Business Suite vulnerabilities have been leveraged by the Cl0p ransomware group to conduct large-scale data theft and extortion campaigns, highlighting the platform’s continued value as a target for financially motivated threat actors.
Active Exploitation of Citrix NetScaler “CitrixBleed 2” Vulnerability CVE-2026-8451
Citrix has released security updates for multiple vulnerabilities affecting NetScaler ADC and NetScaler Gateway that could allow unauthenticated attackers to read arbitrary files, disclose sensitive memory contents, or trigger denial-of-service (DoS) conditions under specific configurations. The flaws affect enterprise application delivery and remote access infrastructure commonly deployed at the network edge, making them attractive targets for threat actors seeking initial access or service disruption. Following public disclosure, active exploitation of CVE-2026-8451 has been observed in the wild, with attacks reported less than 24 hours after technical details and proof-of-concept (PoC) code became publicly available.
The most critical issue, CVE-2026-8451 (CVSS 8.8), is an insufficient input validation vulnerability that can disclose sensitive memory contents when NetScaler is configured as a SAML Identity Provider. The flaw belongs to the same class of memory disclosure vulnerabilities as the 2023 CitrixBleed attacks and has been dubbed “CitrixBleed 2” by security researchers. Observed exploitation involves attackers leveraging publicly available PoC code to retrieve sensitive information from vulnerable appliances. Additional vulnerabilities addressed by Citrix include CVE-2026-8452 (CVSS 8.8), which can trigger denial-of-service through insufficient input validation; CVE-2026-8655 (CVSS 8.8), involving multiple memory overflow vulnerabilities that can result in unpredictable behavior or DoS in Oracle load balancer and DNS deployments; CVE-2026-10816 (CVSS 7.7), an external control of file path vulnerability enabling unauthenticated arbitrary file reads when management interfaces are exposed; and CVE-2026-13474 (CVSS 8.7), which enables HTTP/2-based denial-of-service attacks.
Linux Kernel Privilege Escalation Exploited
An actively exploited local privilege escalation vulnerability in the Linux kernel, CVE-2026-43456 (CVSS 7.8), allows an attacker with local access to gain root under specific conditions. Multiple kernel versions are affected and patches have been published.
The flaw results from improper handling of kernel interfaces that permits escalation from a local session to root when certain conditions are met. Observed exploitation chains begin with a local foothold or access to an untrusted service/container, then leverage the kernel flaw to obtain elevated privileges and perform persistent actions as root. Remediation updates addressing the underlying code paths are available.
This vulnerability has been entered into CISA KEV, indicating active use in the wild. Organizations with multi-tenant hosts, developer workstations, containers, or systems allowing local user access should treat this as high priority. Forensic review of suspected hosts can confirm exploitation timelines and guide containment and recovery.
VEIL#DROP Uses Blogspot and Fileless Techniques to Deploy PureLogs Stealer
VEIL#DROP is a newly identified multi-stage malware framework that leverages Google Blogspot as a staging platform to deliver the PureLogs information stealer through a largely fileless infection chain. The attack begins with a malicious JavaScript file disguised as a PDF document, which launches PowerShell to retrieve additional payloads hosted on attacker-controlled Blogspot pages. By abusing Google’s trusted infrastructure and relying on in-memory execution, the campaign is designed to evade traditional reputation-based security controls and reduce forensic artifacts.
Once executed, the PowerShell loader decrypts and dynamically generates subsequent stages before reflectively loading the PureLogs .NET stealer directly into memory. The malware also abuses multiple legitimate Microsoft-signed binaries (LOLBins), including RegSvcs, InstallUtil, and MSBuild, to ensure successful execution while blending into normal system activity. PureLogs is capable of harvesting browser credentials, cookies, autofill data, system information, and other sensitive information, with stolen session cookies potentially enabling attackers to bypass multi-factor authentication by hijacking authenticated sessions.
The campaign demonstrates a continued shift toward stealthy malware delivery techniques that combine trusted cloud services, PowerShell, reflective .NET loading, and living-off-the-land binaries to bypass traditional endpoint defenses. Organizations should monitor for suspicious PowerShell activity and abnormal use of .NET utilities, particularly when followed by connections to Blogspot domains or other trusted cloud-hosted resources.
AsyncRAT Deployed via ScreenConnect DLL Sideloading
An ongoing campaign is distributing AsyncRAT by embedding malicious libraries in typosquatted software installers and abusing the legitimate remote access tool ScreenConnect to execute payloads stealthily. Successful infections enable credential theft, persistence, and lateral movement across home and business systems.
The attack chain begins with spoofed download pages delivering ZIP archives that contain a repurposed, signed installer and a malicious DLL (for example install.res.1033.dll) which is loaded via DLL sideloading. ScreenConnect is installed silently and used to spawn PowerShell and VBScript that add Microsoft Defender exclusions, bypass User Account Control, decode an XOR-encoded payload, and inject AsyncRAT into a legitimate process (RegAsm.exe) using process hollowing. A scheduled task named MasterPackager.Updater runs every two minutes to maintain persistence.
Infrastructure spans more than 90 typosquatted sites and a small set of hosting clusters and command-and-control IPs, enabling broad distribution and resilient C2. Compromised hosts contact multiple C2 domains and may be used to harvest or monetize credentials. The campaign leverages search-engineβpoisoned download pages and trusted tooling to blend with normal activity, increasing detection difficulty and potential impact.
WinRAR Fixes Heap Overflow Vulnerability in RAR5 Recovery Processing
WinRAR has released version 7.23 to address CVE-2026-14191 (CVSS 7.8), a heap overflow vulnerability affecting the processing of RAR5 recovery (.rev) volumes. Organizations that rely on WinRAR or applications incorporating RAR or UnRAR components to process archives from external or untrusted sources may be exposed to application crashes, service disruption, or potential arbitrary code execution if the vulnerability is exploited.
The vulnerability is triggered when a specially crafted RAR5 recovery (.rev) volume is processed alongside its associated archive, resulting in an out-of-bounds heap write during recovery volume reconstruction. By manipulating recovery metadata, an attacker can corrupt heap memory, leading to application instability and process termination. Under favorable conditions, the memory corruption may be leveraged to influence program execution and potentially achieve arbitrary code execution, depending on the target application’s memory layout and available exploit mitigations. The flaw affects WinRAR, RAR, and UnRAR-based components that implement RAR5 recovery processing, while UnRAR.dll deployments that do not support recovery volume processing are not impacted. Systems that automatically process untrusted archivesβincluding email gateways, sandbox environments, backup infrastructure, file-sharing platforms, and automated file-processing pipelinesβface the greatest risk because malicious archives can be processed without direct user interaction.
NEWS AND RESOURCES
Whatβs on at CyberProof
Speak with an expert
Explore how CyberProof can help you anticipate, prevent, and mitigate ever-evolving cyberattacks in hybrid and cloud-native environments.
SPEAK WITH AN EXPERT







