Hawkra Threat Dashboard

Active Exploits & Threat Groups

CISA has added three significant vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation by threat actors. These include CVE-2022-0492, an improper authentication flaw in the Linux Kernel that could allow for container escape and privilege escalation on the underlying host. Also added are CVE-2025-48595, an integer overflow in the Android Framework that could lead to arbitrary code execution on mobile devices, and CVE-2024-21182, an unspecified but critical vulnerability in Oracle WebLogic Server, a common component in enterprise application infrastructure. The inclusion of these vulnerabilities underscores the ongoing risk posed by flaws in core operating systems, mobile platforms, and enterprise middleware.

A wide array of sophisticated threat actors are known to leverage vulnerabilities of this nature in their campaigns. Groups such as APT28 (aka Fancy Bear), APT29 (aka Cozy Bear), and the Sandworm Team frequently exploit server-side and kernel-level vulnerabilities for initial access and lateral movement. Similarly, financially motivated groups like the Lazarus Group and espionage-focused actors such as APT33 (aka Elfin) and OilRig are adept at weaponizing such flaws. These groups typically employ tactics of execution to run malicious code and stealth to maintain persistence and evade detection within compromised networks.

New Vulnerabilities

Several critical vulnerabilities have been disclosed, demanding immediate attention. Four separate flaws have received a CVSS score of 10.0. These include CVE-2026-40965, a critical private key exposure in Cloud Foundry UAA, and CVE-2026-7312, which details insufficiently protected credentials in Progress Sitefinity web services. Two additional CVSS 10.0 vulnerabilities, CVE-2026-45131 and CVE-2026-45132, affect CloudPirates Open Source Helm Charts, where GitHub Actions workflows could expose credentials or execute attacker-controlled code.

Other notable high-severity vulnerabilities include CVE-2026-5076 (CVSS 9.8), an insecure password reset mechanism in the ARMember Premium WordPress plugin, and CVE-2026-25879 (CVSS 9.8) in the Langroid AI framework, where prompt injection could lead to arbitrary SQL execution. These disclosures highlight significant risks across cloud infrastructure, enterprise content management systems, and emerging AI application frameworks. At present, there have been no significant increases in EPSS scores for these new vulnerabilities, but organizations should monitor them closely for signs of potential exploitation.

In the News

• Google released its June 2026 Android security update, patching 124 vulnerabilities including a zero-day flaw confirmed to be under active exploitation in targeted attacks.
• Schneebeli AG, a Zurich-based custom carpentry firm, was reported to be a victim of a data breach in early June.