Urgent Threats & Advisories

Active and archived focus items for SOC teams and threat hunters

ACTIVE RIGHT NOW

CRITICALADVISORY1d ago

Data Exposure Flaws Threaten Dify AI Platform Used by 1 Million Apps

Four critical vulnerabilities in Dify AI platform (CVE-2026-41947, CVE-2026-41948, CVE-2026-41950) enable unauthorized access to private chats, cross-tenant document theft, and lateral API calls across multi-tenant environments. The platform powers 1 million applications, making this a widespread supply chain risk. Unpatched instances are immediately exploitable.

Action required
Identify all Dify deployments in your environment. Immediately patch to version 1.14.2 or later. Deploy WAF rules blocking CVE-2026-41948 exploitation vectors on all Dify instances pending patching. Hunt for anomalous cross-tenant API calls and unauthorized document/chat access in logs.
DifyZafran Security
CRITICALADVISORY1d ago

Malicious hackers exploit Cisco zero-day for highest access level at communications service provider

Mandiant discovered attackers exploiting an unpatched Cisco SD-WAN zero-day to achieve root-level access at a communications service provider. This granted them visibility into internal network traffic while evading detection. Communications providers and enterprises running Cisco SD-WAN edge devices are at immediate risk of persistent compromise and lateral movement.

Action required
Immediately inventory all Cisco SD-WAN controllers and edge devices in your environment. Apply the latest Cisco security patch and validate successful deployment within 24 hours. Hunt for suspicious root-level access logs and unusual inter-site traffic patterns in the past 90 days.
Cisco Catalyst SD-WAN ManagerCiscoMandiantGoogle
CRITICALADVISORY1d ago

Exploitable CI/CD Vulnerabilities Expose Millions of Repositories to Hijacking

A new class of CI/CD vulnerabilities called Cordyceps has been discovered in GitHub Actions YAML configurations that allows unauthenticated attackers to hijack repositories and steal credentials. The flaws exploit workflow composition logic rather than individual components, bypassing traditional scanners and affecting millions of open-source repos from Microsoft, Google, and Apache. Attackers can achieve command injection, artifact poisoning, and full repository control.

Action required
Audit all GitHub Actions YAML files in your organization for untrusted variable interpolation, dynamic workflow triggers, and credential exposure patterns. Prioritize repositories with write access to production systems. Enable branch protection rules and require code reviews for all workflow changes.
GitHub ActionsMicrosoftGoogleApacheCloudflare

ARCHIVE

Category:
Severity:
No focus items found.
Try a different filter.