Weekly security intelligence digest covering the most critical vulnerabilities, threats, and breach news from the past week.
🚨 Critical: CISA Known Exploited Vulnerabilities
These vulnerabilities are being actively exploited in the wild. Immediate action required.
CVE-2026-28318: SolarWinds Serv-U Uncontrolled Resource Consumption Vulnerability
Vendor/Product: SolarWinds Serv-U
Description: SolarWinds Serv-U contains an uncontrolled resource consumption vulnerability that allows specially crafted POST requests using the Content-Encoding: deflate header to crash the Serv-U service without authentication.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA Due Date: 2026-06-19
Reference: CVE-2026-28318 - NVD
Expert take: This one doesn’t steal your data or run code. It just crashes the server. So people are going to underrate it. Don’t.
The trick is a compression bomb. You send a tiny POST request with
Content-Encoding: deflateand a payload that blows up huge when Serv-U tries to decompress it. No login needed. CVSS is only 7.5, but the score is about severity, not how easy it is to use, and this one is dead simple. Public exploit code is already out there.Here’s why a “just a crash” bug matters. Serv-U is a file transfer server. People put it on the edge of their network so partners can move files in and out. When it goes down, the business process around it breaks too, and an outage is a great distraction while someone pokes at other things. The fix is Serv-U 15.5.4 Hotfix 1. If you can’t patch right now, block any POST request with a
content-encodingheader, because the service doesn’t actually need it. And yeah, anything internet-facing should go first.
CVE-2026-45247: Mirasvit Full Page Cache Warmer Deserialization of Untrusted Data Vulnerability
Vendor/Product: Mirasvit Mirasvit Full Page Cache Warmer
Description: Mirasvit Full Page Cache Warmer contains a deserialization of untrusted data vulnerability that could allow unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA Due Date: 2026-06-06
Reference: CVE-2026-45247 - NVD
Expert take: This is a Magento extension, so it’s running on e-commerce sites. That means it sits next to payment flows and customer data. Bad place for an unauthenticated RCE.
The problem is PHP object deserialization. The app takes a value from a cookie and trusts it enough to rebuild a PHP object out of it. Feed it a crafted object and you can get code running on the server, no login. This is an old, well-understood bug class, and it keeps showing up because deserializing untrusted input is just a bad idea that’s easy to do by accident.
The CISA due date already passed (June 6). If you run Magento and have this extension, treat it as overdue, not upcoming. Patch it, and check your logs for weird
CacheWarmercookie values while you’re at it. The lesson that keeps repeating: never deserialize something a user can control.
CVE-2022-0492: Linux Kernel Improper Authentication Vulnerability
Vendor/Product: Linux Kernel
Description: Linux Kernel contains an improper authentication vulnerability which could allow for privilege escalation via the cgroups v1 release_agent feature.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA Due Date: 2026-06-05
Reference: CVE-2022-0492 - NVD
Expert take: Look at the CVE number. 2022. This bug is years old and it just landed on the KEV list, which usually means someone caught it being used in real attacks, often inside containers.
The short version: cgroups v1 has a feature called
release_agentthat runs a program when a cgroup empties out. The kernel wasn’t checking permissions properly, so a process in a container could use it to break out and run code on the host as root. Container escape, basically.If you run containers, this is the one to care about. Check your kernel version against the fix. The bigger point though is that old CVEs don’t expire. Attackers reuse what works, and a 2022 bug on an unpatched host is just as good to them as a fresh one. Patch cadence on the kernel matters more than people think.
CVE-2025-48595: Android Framework Integer Overflow Vulnerability
Vendor/Product: Android Framework
Description: Android Framework contains an integer overflow vulnerability that allows for code execution that could allow for local privilege escalation.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA Due Date: 2026-06-05
Reference: CVE-2025-48595 - NVD
Expert take: This is local privilege escalation, not remote. So an attacker needs to get something on the phone first, usually a sketchy app, then this bug bumps them up to higher privileges.
That’s the normal chain on mobile. One app gets a foothold, a framework bug like this turns limited access into deep access. Integer overflows are a classic way in: a number wraps around past its limit, the math goes wrong, and you end up writing memory you shouldn’t.
For most people the fix is boring but real: install the Android security update when it shows up. If you manage a fleet of devices through MDM, push the patch and check who’s still behind. And keep telling people to stick to official app stores, since the whole attack needs that first malicious app to land.
đź“° This Week’s Security News
Critical Everest Forms Pro flaw exploited to take over WordPress sites
Hackers are actively exploiting a critical vulnerability (CVE-2026-3300) in the Everest Forms Pro plugin, which lets them take complete control of a WordPress website. […]…
Read more: Critical Everest Forms Pro flaw exploited to take over WordPress sites
Expert take: CVSS 9.8, unauthenticated, full site takeover. About as bad as a WordPress plugin bug gets.
The root cause is painful in how ordinary it is. The Complex Calculation feature takes what you type into a form field, drops it into a string of PHP code, and runs it with
eval(). They do run input through a sanitizer first, but it doesn’t escape single quotes, so an attacker just breaks out and writes their own PHP. From there it’s rogue admin accounts and web shells.Here’s the part that should bother you. The patch came out March 18 (version 1.9.13). Exploitation didn’t start until April 13. So there was almost a month of warning, and plenty of sites still got hit because nobody updated. Wordfence has blocked over 29,000 attempts. If you run this plugin, update now, then go check your admin user list and look for submissions with the string “diksimarina.” The takeaway: patch fast on anything internet-facing, because the gap between “fix exists” and “you applied it” is exactly the window attackers live in. And
eval()on user input should never have shipped.
CISA: Hackers now exploit SolarWinds Serv-U flaw to crash servers
CISA warned today that hackers are now actively exploiting a recently patched high-severity SolarWinds Serv-U flaw to crash servers. […]…
Read more: CISA: Hackers now exploit SolarWinds Serv-U flaw to crash servers
Expert take: Same bug as CVE-2026-28318 up top, so I won’t repeat the mechanics. One thing worth adding: the patch dropped June 3, and CISA flagged active exploitation by the 5th. Two days.
That’s the speed now. The window between “patch released” and “people getting hit” is basically gone. The old plan of testing a patch for a few weeks before rolling it out doesn’t hold up for internet-facing stuff anymore. For edge services like file transfer servers, you need a fast lane that gets critical patches out in days, not a monthly cycle. If you can’t move that fast, at least have the mitigation ready to drop in the meantime.
Over 900 US gas station tank gauge systems exposed to attacks
Over 900 automatic tank gauge (ATG) systems across the United States, used to monitor fuel and chemical storage tanks across various critical infrastructure sectors, have been found exposed online and…
Read more: Over 900 US gas station tank gauge systems exposed to attacks
Expert take: This isn’t a fancy bug. It’s 900+ industrial devices just sitting on the open internet that were never meant to be there.
Tank gauges measure fuel levels. They talk over old protocols built back when “on the internet” wasn’t a thing anyone planned for, so there’s little to no auth. Once one is reachable, an attacker can mess with readings or shut the thing down, and now you’re talking physical safety, not just data.
The fix here isn’t a patch, it’s network design. This stuff should live behind a firewall or VPN and never face the public internet. If remote access is truly needed, put it behind a gateway that actually checks who’s connecting. Worth running a quick check yourself: search Shodan or Censys for your own org’s IPs and see what’s exposed that shouldn’t be. The recurring theme with OT and ICS is that the device was never built to defend itself, so the network has to do that job.
âś… What You Should Do This Week
- Immediate: Patch CVE-2026-28318, CVE-2026-45247 (actively exploited)
- Verify: Check your systems against CISA KEV catalog
- Monitor: Review Azure AD sign-in logs for suspicious activity
- Audit: Verify MFA is enforced for all privileged accounts
- Backup: Test your disaster recovery procedures
📬 Stay Updated
Subscribe to receive weekly security digests directly in your inbox.
Questions or feedback? Contact us
GRC Vitrix provides cloud security and compliance intelligence for financial services professionals. This digest is curated from publicly available sources including CISA, Microsoft MSRC, and industry news.