Lostbrain

🚨 CRITICAL ALERT: 2 Active Exploits Detected (2026-06-16)

🚨 CRITICAL ALERT: 2 Active Exploits Detected (2026-06-16)

🚨 CRITICAL ALERT: Active Zero-Day Exploits

Two critical vulnerabilities with CVSS scores of 9.8 and 8.5 are in scope, and both are listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating confirmed real-world abuse. Immediate patching and exposure reduction are required to reduce the risk of remote code execution and hostile takeover of affected systems.

Critical Vulnerabilities (CVSS >= 8.0)

  • CVE-2018-1273 (CVSS: 9.8): Spring Data Commons versions prior to 1.13.10 and 2.0.5 contain a property binder vulnerability caused by improper neutralization of special elements, allowing an unauthenticated remote attacker to submit crafted request parameters that can trigger remote code execution against Spring Data REST-backed HTTP resources or projection-based request payload binding. This issue is listed in CISA KEV and has been associated with active exploitation and ransomware use. View NVD | CISA KEV
  • CVE-2026-54420 (CVSS: 8.5): LiteSpeed cPanel plugin before 2.4.8, as distributed in LiteSpeed WHM PlugIn before 5.3.2.0, mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, and it was exploited in the wild in May 2026. This issue is listed in CISA KEV, making it an active exploitation concern for shared hosting environments. View NVD | CISA KEV

âš¡ Immediate Actions Required

Patch now. Upgrade Spring Data Commons to a fixed release at or above 1.13.10 or 2.0.5, and update the LiteSpeed cPanel plugin to 2.4.8 or later, or LiteSpeed WHM PlugIn to 5.3.2.0 or later, following vendor guidance.

Reduce exposure immediately. Restrict internet access to Spring Data REST endpoints, limit access to trusted networks, and disable or tightly control any functionality that accepts user-controlled parameters for binding or projection handling.

Hunt for compromise. Review application and hosting logs for suspicious request parameters, SpEL-like payloads, unexpected child processes, unauthorized file or symlink activity, and signs of web shell or FTP abuse. Treat any confirmed exposure as a potential incident and escalate containment if exploitation is suspected.

Sarah

,