InfoSecBulletin Cybersecurity for mankind
Cisco on Monday told customers about a new SD-WAN product flaw used in attacks. The flaw, called CVE-2026-20262, is a medium-severity issue that lets files be written anywhere in the Catalyst SD-WAN Manager.
“This file could later be used to elevate to root,” Cisco explained, adding, “To exploit this vulnerability, the attacker must have valid credentials with at least write access.”
Cisco said it discovered the vulnerability internally and became aware of its exploitation in June 2026.
ALERT
Cisco SD-WAN Zero-Day, FortiSandbox and cPanel flaws exploited in attacks
“Panthalassa” builds floating AI data centers powered by ocean waves
Critical Wazuh Vuln Enables Alert Tampering and Evidence Deletion
CVE-2026-0257
Palo Alto Warns of GlobalProtect VPN Vuln Actively Exploited
BD Gov.t to set up Tk192.66cr AI hub with support from Koica
Critical Splunk Enterprise Pre-Auth RCE Chain Exposes Databases With Zero Authentication
Anthropic disables Fable 5 and Mythos 5 Access after US order limiting foreign access
Using AI, Researcher Hacks Google and Earns $500,000 Bug Bounty
Chrome 149 fixes 28 flaws, including critical UAF bugs
Dahua patches multiple critical vulnerabilities in its products
Cisco said that CVE-2026-20262 has been used in a few attacks, which indicates it was aimed at specific targets by a skilled group, possibly backed by a state.
CISA put CVE-2026-20262 in its list of Known Exploited Vulnerabilities (KEV) on Monday. It told federal agencies to fix it by June 29.
The now-patched zero-day security flaw affects all deployment types, regardless of device configuration, including on-prem deployments, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP).
Fortinet FortiSandbox
Attackers are using serious flaws in Fortinet’s FortiSandbox system for finding cyber threats, according to the threat intelligence firm Defused. Fortinet released security fixes for these three severe security issues (numbered CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089) on April 14.
“We are observing exploitation of multiple Fortinet FortiSandbox vulnerabilities during the past 24 hours, including: CVE-2026-39813 (no previous recorded exploitation), CVE-2026-39808, CVE-2026-25089 (vibecoded, likely faulty exploit),” Defused warned on Monday. “Per our research a working exploit for CVE-2026-25089 has not yet been publicly disclosed.”
These flaws let unverified attackers gain higher access and run unwanted code from a distance with simple command attacks that need no user action. To fix these issues and stop attacks, admins need to update affected systems to the latest versions.
cPanel flaws exploited
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has told U.S. government agencies to fix their servers within three days. This is to protect against a currently exploited weakness (CVE-2026-54420) in the LiteSpeed cPanel user plugin.
LiteSpeed said it was being actively attacked in early June and released urgent updates. They warned users to update the cPanel plugin (which comes with the WHM plugin) to the latest version.
Tracked as CVE-2026-48172, this high-severity vulnerability was reported by Namecheap and allows attackers with FTP or web shell access to escalate privileges to root on shared hosting servers running CloudLinux/CageFS.
This vulnerability affects all user-end plugin versions before 2.4.8 and stems from a ‘UNIX symlink following’ weakness.
Users are advised to use the following command to check if their server is vulnerable to attacks targeting the CVE-2026-48172 vulnerability:
grep -rE ‘cpanel_jsonapi_func=(generateEcCert|packageUserSize)|cert_action_entry .*geneccert’ /usr/local/cpanel/logs/ /var/cpanel/logs/ 2>/dev/null
“If this command results in any output, the vulnerability may have been exploited on your server. [..] To determine any damage done, examine the system logs for any actions taken by the detected IPs,” LiteSpeed said. “This vulnerability is being actively exploited, and poses a risk for all user-end plugin versions prior to 2.4.8.”
Critical Wazuh Vuln Enables Alert Tampering and Evidence Deletion
