Security News Bulletin - June 2026

Banner Background

Azure Resource Manager Privilege Escalation Vulnerability

CVE-2026-47280 

Published: 2026-05-22 
Updated: 2026-06-17 

Vendor: Microsoft 
Product: Azure Resource Manager 

Attack Tags: Privilege Escalation, Cloud Security, Azure Resource Manager (ARM), Improper Authentication

Severity: Critical (CVSS 10.0)  

What Is CVE-2026-47280? 
 

CVE-2026-47280 is a critical privilege escalation vulnerability affecting Microsoft Azure Resource Manager (ARM). The issue is caused by improper authentication handling, which may allow an unauthorized attacker to elevate privileges over a network.  

Azure Resource Manager is a core service used to deploy, manage, and control cloud resources within Microsoft Azure environments. Because ARM sits at the center of Azure resource administration, successful exploitation could allow attackers to gain elevated access to cloud resources and management functions.  

Affected Products 

The vulnerability affects Microsoft Azure Resource Manager (ARM) environments where the vulnerable authentication mechanism is present. Microsoft has released security guidance and remediation information through its security update channels.

Observed Attack Activity 

At the time of publication, there are no publicly confirmed reports of active exploitation in the wild. However, the vulnerability is considered highly critical because: 

  • It can be exploited over a network
  • It requires no user interaction
  • It may allow privilege escalation to highly privileged cloud roles
  • It impacts a core cloud management component used across enterprise environments

Given the critical CVSS rating and cloud infrastructure impact, organizations are advised to prioritize remediation immediately.  

If exploited successfully, CVE-2026-47280 could potentially allow attackers to: 

  • Gain elevated permissions within Azure environments
  • Access or modify cloud resources
  • Disrupt business operations
  • Increase lateral movement opportunities within cloud infrastructure
  • Impact confidentiality, integrity, and availability of cloud workloads

Additional Resources 

  1. Official CVE Record — CVE.org 
    https://www.cve.org/CVERecord?id=CVE-2026-47280  

  2. Microsoft Security Response Center (MSRC) 
    https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47280  

  3. National Vulnerability Database (NVD) 
    https://nvd.nist.gov/vuln/detail/CVE-2026-47280  

  4. Tenable Vulnerability Summary 
    https://www.tenable.com/cve/CVE-2026-47280 

WordPress Logtivity Plugin Authentication Bypass 

CVE-2026-8198 

Published: 2026-05-09 
Updated: 2026-05-09  

Vendor: Logtivity 
Product: Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity 

Attack Tags: Authentication Bypass, Information Disclosure, REST API, WordPress Plugin 

Severity: Medium (CVSS 5.3) 

What Is CVE-2026-8198? 

CVE-2026-8198 is a medium-severity authentication bypass vulnerability affecting the Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity plugin for WordPress. The issue exists in the plugin’s verifyAuthorization logic. Due to improper validation handling, requests that do not include an Authorization header may bypass authentication checks completely. As a result, unauthenticated attackers may access sensitive activity log information exposed through the plugin’s REST API endpoints. 

Affected Versions 

The vulnerability affects: 

  • Logtivity Plugin versions up to and including 3.3.6

Systems running outdated versions remain vulnerable until updated to a patched release. 

Observed Attack Activity 

At the time of disclosure, there are no confirmed reports of widespread exploitation in the wild. 

However, the vulnerability is considered important because: 

  • It requires no authentication
  • It can be exploited remotely via API requests
  • Sensitive activity logs may expose operational or user-related information

Attackers commonly use information disclosure vulnerabilities as part of reconnaissance activities before launching broader attacks against WordPress environments. 

Even though this is not a direct remote code execution vulnerability, exposed activity logs can provide attackers with: 

  • Usernames and administrative activity details
  • Plugin and system behavior insights
  • Operational information useful for targeted attacks
  • Increased visibility into the WordPress environment

Such information can assist attackers in phishing, credential attacks, or identifying additional weaknesses in the application stack. 

Additional Resources 

  1. Official CVE Record — CVE.org
    CVE-2026-8198 Official Record 

  2. Wordfence Vulnerability Database 
    Wordfence Threat Intelligence Entry  

  3. CVEFeed Vulnerability Overview 
    CVEFeed Detailed Summary  

  4. NVD — National Vulnerability Database 
    https://nvd.nist.gov/vuln/detail/CVE-2026-8198 

FortiClientEMS Improper Access Control Vulnerability 

CVE-2026-35616  

Published: 2026-04-04 
Updated: 2026-04-21  

Vendor: Fortinet 
Product: FortiClientEMS  

Attack Tags: Remote Code Execution, Improper Access Control, Authentication Bypass, API Abuse 

Severity: Critical (CVSS 9.1) 

What Is CVE-2026-35616? 

CVE-2026-35616 is a critical improper access control vulnerability affecting Fortinet FortiClient Enterprise Management Server (EMS).  

The vulnerability allows an unauthenticated remote attacker to execute unauthorized commands or code by sending specially crafted requests to the affected FortiClientEMS instance. This weakness enables an unauthorized attacker over a network to craft specially formed data (e.g., authentication tokens or cookies) that appear trustworthy to the application. 

Affected Versions 

  • affected from 7.4.5 through 7.4.6  

Observed Attack Activity 

Active exploitation has been reported in the wild. 

Threat actors are observed using: 

  • Specially crafted HTTP/API requests against FortiClientEMS  
  • Attempts to bypass authentication controls  
  • Remote command execution attempts  
  • Unauthorized access to EMS management functions 

Successful exploitation may allow attackers to: 

  • Execute arbitrary commands on the FortiClientEMS server  
  • Gain control over the endpoint management infrastructure  
  • Modify security configurations  
  • Deploy malicious software to managed endpoints  
  • Access sensitive endpoint management data  
  • Use the compromised EMS server as a pivot point for further attacks  

Because FortiClientEMS acts as a central management platform for enterprise endpoints, compromise of this system can significantly impact the security of connected devices. 

Additional Resources 

  1. Official CVE Record — CVE.org 
    https://www.cve.org/CVERecord?id=CVE-2026-35616 

  2. fortiguard.fortinet.com 
    https://fortiguard.fortinet.com/psirt/FG-IR-26-099 

  3. SentinelOne 
    http://sentinelone.com/vulnerability-database/cve-2026-35616/ 

  4. NHS England Cyber Alert 
    https://digital.nhs.uk/cyber-alerts/2026/cc-4766 

Apache HTTP Server HTTP/2 Double-Free Vulnerability

CVE-2026-23918  

Published: 2026-05-04 
Last Updated: 2026-05-04 

Vendor: Apache Software Foundation  
Product : Apache HTTP Server  

Attack Tags: Remote Code Execution, Memory Corruption, Web Server Exploitation, Denial of Service 

Severity: High (CVSS 8.8) 

What Is CVE-2026-23918? 

CVE-2026-23918 is a high-severity memory management vulnerability in Apache HTTP Server, specifically affecting the HTTP/2 protocol handling component.  

The vulnerability is caused by a double-free condition, where the Apache HTTP Server incorrectly releases the same memory object more than once during specific HTTP/2 request processing scenarios. This can corrupt heap memory structures and may allow an attacker to influence memory operations. 

The flaw occurs during handling of certain HTTP/2 stream lifecycle events, including early stream termination/reset scenarios. 

Affected Versions 

  • affected at 2.4.66  

Observed Attack Activity 

Public exploit research and PoC activity have been reported.  

Attackers may attempt: 

  • Crafted HTTP/2 requests against vulnerable Apache servers  
  • Malformed stream reset sequences  
  • Repeated requests designed to trigger memory corruption  
  • Attempts to crash Apache worker processes  

Successful exploitation could allow an attacker to: 

  • Execute arbitrary code on the affected Apache server  
  • Compromise the web server process  
  • Access sensitive hosted applications or data  
  • Modify web content  
  • Deploy malicious files or web shells  
  • Cause service disruption through repeated crashes 

Additional Resources 

  1. Official CVE Record — CVE.org 
    CVE Record: CVE-2026-23918 

  2. Apache Server Security Advisories 
    Apache HTTP Server 2.4 vulnerabilities - The Apache HTTP Server Project 

  3. SentinelOne 
    https://www.sentinelone.com/vulnerability-database/cve-2026-23918 

PostgreSQL Integer Wraparound Flaw Enabling Memory Corruption 

CVE-2026-6473 

Published: 2026-05-14 
Updated: 2026-05-14 

Vendor: PostgreSQL Global Development Group 

Product : PostgreSQL  

Attack Tags: Integer Wraparound, Memory Corruption, Denial of Service, Database Server Exploitation, Input Validation Error 
 
Severity: High (CVSS 8.8) 

What Is CVE-2026-6473? 

CVE-2026-6473 is a high-severity PostgreSQL server vulnerability caused by an integer wraparound flaw in multiple PostgreSQL server features. The issue allows an unprivileged database user to provide specially crafted input that causes PostgreSQL to calculate an incorrect memory size, resulting in an undersized memory allocation and an out-of-bounds write. 

In environments where applications pass extremely large user-controlled inputs (gigabyte-scale data) to affected database functions, attackers may also trigger segmentation faults and service disruption. 

Affected Versions 

  • affected from 18 before 18.4  
  • affected from 17 before 17.10  
  • affected from 16 before 16.14  
  • affected from 15 before 15.18  
  • affected from 0 before 14.23  

Observed Attack Activity 

As of the latest available information, no confirmed active exploitation campaigns or widespread attacks have been publicly reported for CVE-2026-6473.  

However, due to the vulnerability’s ability to cause memory corruption and potential code execution, attackers may target exposed PostgreSQL database servers, especially environments where untrusted or low-privileged users can submit large or specially crafted inputs.  

Potential Attack Indicators: 

  • Unexpected PostgreSQL server crashes or restarts  
  • Database process segmentation faults  
  • Abnormal memory consumption  
  • Suspicious activity from low-privileged database accounts  
  • Unusual queries involving large input payloads

Additional Resources 

  1. Official CVE Record — CVE.org 
    https://www.cve.org/CVERecord?id=CVE-2026-6473 

  2. PostgreSQL Security Advisory 
    https://www.postgresql.org/support/security/CVE-2026-6473/ 

  3. National Vulnerability Database 
    https://nvd.nist.gov/vuln/detail/CVE-2026-6473 

Redis Heap Buffer Overflow Vulnerability  

CVE-2026-25243 

Published: 2026-05-05 
Updated: 2026-05-05 

Vendor: redis 
Product : redis  

Attack Tags: Remote Code Execution, Memory Corruption, Heap-Based Buffer Overflow, Privilege Abuse, Critical Infrastructure Risk 
 
Severity: High (CVSS 7.7) 

What Is CVE-2026-25243? 

CVE-2026-25243 is a high-severity remote code execution vulnerability affecting Redis. The vulnerability exists in the RESTORE command, where Redis fails to properly validate serialized data before processing it. 

An authenticated attacker with permission to execute the RESTORE command can provide a specially crafted serialized payload that triggers invalid memory access / heap-based memory corruption.  

A workaround is to restrict access to the RESTORE command with ACL rules.  

Affected Versions 

  • affected at < 8.6.3  

Observed Attack Activity 

As of current available threat intelligence, no confirmed widespread active exploitation has been reported for CVE-2026-25243. However, the vulnerability presents a significant risk for Redis deployments where the RESTORE command is exposed to unauthorized or low-privileged users.  

Successful exploitation may allow the attacker to execute arbitrary code on the system running the Redis server, potentially leading to complete compromise of confidentiality, integrity, and availability. 

Potential attack indicators include: 

  • Unusual use of the Redis RESTORE command  
  • Suspicious serialized payloads submitted to Redis  
  • Unexpected Redis service crashes or restarts  
  • Abnormal memory usage by the Redis process  
  • Unauthorized attempts to access Redis instances  

Organizations should monitor Redis logs, review ACL permissions, and restrict access to sensitive commands. 

Additional Resources 

  1. Official CVE Record — CVE.org 
    https://www.cve.org/CVERecord?id=CVE-2026-25243 

  2. GitHub Advisories 
    https://github.com/redis/redis/security/advisories/GHSA-c8h9-259x-jff4 

  3. RedHat Security Advisories 
    https://access.redhat.com/security/cve/cve-2026-25243 

  4. Redis Security Blog Advisories  
    https://redis.io/blog/security-advisory-cve202623479-cve202625243-cve-2026-25588-cve202625589-cve-2026-23631/ 

Back to Newsletter Home