• Request consultation
  • Newsletter
  • Deutsch Deutsch German de
  • English English English en
  • Italiano Italiano Italian it
  • Nederlands Nederlands Dutch nl
Greenbone
  • Products
    • OPENVAS BASIC
      • OPENVAS BASIC: Order
    • OPENVAS SCAN
    • Upcoming Solutions
      • OPENVAS SECURITY INTELLIGENCE
      • OPENVAS AI
    • Solutions for Your Sector
      • Educational Sector
      • Healthcare Sector
      • Public Sector
    • Technology
      • Feed Comparison
      • Product Comparison
        • OPENVAS vs. Nessus
      • Roadmap & Lifecycle
  • Service & Support
    • Technical Support
    • Self-Learning Courses
    • Documents
  • Events
    • Cybersec Europe 2026
    • Webinars
  • Partners
    • MSSP
  • About Greenbone
    • Careers
    • Contact
  • Blog
    • Know-how
      • Attack Vector Timeline
      • Cyberattacks and Defense
      • Cyber Defense Security
      • Cyber Resilience Act
      • Data Security
      • Digital Operational Resilience Act
      • Exposure Management
      • IT and Information Security
      • NIS2 Directive
      • Open Source Vulnerability Management
      • The Vulnerability Timeline
  • Click to open the search input field Click to open the search input field Search
  • Menu Menu
  • Products
    • OPENVAS BASIC
      • OPENVAS BASIC: Order
    • OPENVAS SCAN
    • Upcoming Solutions
      • OPENVAS SECURITY INTELLIGENCE
      • OPENVAS AI
    • Solutions for your sector
      • Educational Sector
      • Healthcare Sector
      • Public Sector
    • Technology
      • Feed Comparison
      • Product Comparison
        • OPENVAS vs. Nessus
      • Roadmap and Lifecycle
    • Request IT Security
  • Service & Support
    • Technical Support
    • Self-Learning Courses
    • Documents
  • Events
    • Cybersec Europe 2026
    • Webinars
  • Partners
    • MSSP
  • About Greenbone
    • Careers
    • Contact
    • Newsletter
  • Our Blog
    • Know-how
      • Attack Vector Timeline
      • Cyberattacks and Defense
      • Cyber Defense Security
      • Cyber Resilience Act
      • Data Security
      • Digital Operational Resilience Act
      • Exposure Management
      • IT and Information Security
      • NIS2 Directive
      • Open Source Vulnerability Management
      • The Vulnerability Timeline
  • German
  • English
  • Italian
  • Dutch
Joseph Lee

CVE-2026-48282: CVSS 10 Flaw in Adobe ColdFusion Is Actively Exploited and More

Blog

CVE-2026-48282 (CVSS 10) is a critical path traversal vulnerability [CWE-22] in Adobe ColdFusion. According to Adobe’s Security Bulletin [APSB26-68], the issue affects ColdFusion 2025 Update 9 and earlier, and ColdFusion 2023 Update 20 and earlier. Exploitation is network-based, which increases the risk to exposed ColdFusion instances, and exploitation does not require authentication. A successful attack allows arbitrary remote code execution (RCE) in the context of the current user.

KEVIntel captured honeypot attacks targeting CVE-2026-48282, indicating that active exploitation may be underway, and CISA has added the flaw to their Known Actively Exploited (KEV) list. Watchtowr Labs has published a public Proof-of-Concept (PoC) exploit with full technical root-cause analysis. Multiple national CERT alerts have been issued for CVE-2026-48282, indicating high concern globally [1][2][3][4][5][6][7][8].

CVE-2026-48282-adobe-coldfusion-exploited

In total, 11 CVEs were disclosed in Adobe’s APSB26-68 advisory, and six of those were assigned the highest possible CVSS severity rating. The OPENVAS ENTERPRISE FEED includes a remote_banner check for CVE-2026-48282 and all other CVEs disclosed in Adobe’s APSB26-68 advisory affecting Adobe ColdFusion. Grabbing a copy of OPENVAS SCAN with a free two-week trial of the OPENVAS ENTERPRISE FEED is a surefire way to gain the deepest insight into where software vulnerabilities exist in your organization’s IT infrastructure.

A Risk Assessment of CVE-2026-48282 in Adobe ColdFusion

CVSS 10 · CriticalActively exploitedIn CISA KEVPublic PoC

Adobe has assigned CVE-2026-48282 the highest CVSS severity rating. The primary defensive concern is that a path traversal [CWE-22] issue in a web-facing application server can allow an attacker to move outside intended directory boundaries and reach sensitive resources. Adobe reports that CVE-2026-48282 can lead to arbitrary RCE in the context of the current user. Because exploitation does not require privileges or user interaction, externally reachable instances carry the highest exposure.

Adobe ColdFusion is an enterprise application server used to build, deploy, and scale data-driven web applications, APIs, intranet portals, administrative systems, and cloud-connected business applications. The exploitation reporting should be treated as operationally significant even without additional technical detail.

Mitigating CVE-2026-48282 in Adobe ColdFusion

CVE-2026-48282 is remediated by updating to ColdFusion 2025 Update 10 or ColdFusion 2023 Update 21. Adobe does not provide any alternative workarounds or compensating controls. Where instances are externally reachable, remediation should be prioritized. The OPENVAS ENTERPRISE FEED includes a remote_banner check to identify Adobe ColdFusion instances affected by CVE-2026-48282.

➡

Start Your Free Trial

The OPENVAS ENTERPRISE FEED includes a remote_banner check for CVE-2026-48282 and every other CVE in Adobe’s APSB26-68 advisory. Grab a copy of OPENVAS SCAN with a free two-week trial of the OPENVAS ENTERPRISE FEED to gain the deepest insight into where software vulnerabilities exist in your organization’s IT infrastructure.

Other CVEs From Adobe’s APSB26-68 Advisory

Adobe’s Security Bulletin [APSB26-68] covered a total of 11 CVEs. Six of these were assigned the highest CVSS criticality score. There are no reports of active exploitation for the CVEs described below, and no detailed technical analysis or PoC are available. All CVEs in the security bulletin affect the same product scope. Therefore, the mitigation described above covers all the vulnerabilities.

The ten additional CVEs disclosed in Adobe APSB26-68, each shown with its CVSS severity band and CWE type

CVE-2026-48276 CVSS 10 · Critical CWE-434

An Unrestricted Upload of File with Dangerous Type vulnerability allows arbitrary RCE in the context of the current user.

CVE-2026-48277 CVSS 10 · Critical CWE-20

An Improper Input Validation vulnerability allows arbitrary RCE in the context of the current user.

CVE-2026-48281 CVSS 10 · Critical CWE-20

An Improper Input Validation vulnerability allows arbitrary RCE in the context of the current user.

CVE-2026-48316 CVSS 10 · Critical CWE-20

An Improper Input Validation vulnerability allows arbitrary RCE in the context of the current user.

CVE-2026-48283 CVSS 10 · Critical CWE-434

An Unrestricted Upload of File with Dangerous Type vulnerability allows arbitrary RCE in the context of the current user.

CVE-2026-48313 CVSS 9.3 · Critical CWE-22

A Path Traversal vulnerability allows arbitrary file system read and limited write access. An attacker could access sensitive files and directories outside the intended access scope.

CVE-2026-48315 CVSS 9.3 · Critical CWE-20

An Improper Input Validation vulnerability allows arbitrary RCE in the context of the current user. An attacker can inject malicious scripts into a web page, potentially gaining elevated access or control over the victim’s account or session. Exploitation requires the target to open a malicious file.

CVE-2026-48307 CVSS 8.8 · High CWE-79

A reflected Cross-Site Scripting (XSS) vulnerability allows an attacker to inject malicious scripts into a web page, potentially resulting in arbitrary code execution on the system of victims who open a malicious link.

CVE-2026-48285 CVSS 8.6 · High CWE-918

A Server-Side Request Forgery (SSRF) vulnerability allows an attacker to bypass security measures and gain unauthorized read access.

CVE-2026-48314 CVSS 6.5 · Medium CWE-22

A Path Traversal vulnerability allows an attacker to gain limited read and write access to unauthorized files or directories outside the intended restrictions.

Summary

Adobe’s Security Bulletin [APSB26-68] covered a total of 11 CVEs. Six of these were assigned the highest CVSS criticality score. In-the-wild exploitation has been reported for CVE-2026-48282, which potentially allows arbitrary RCE in the current user context. The affected scope is ColdFusion 2025 Update 9 and earlier, and ColdFusion 2023 Update 20 and earlier. Adobe’s fixed versions are ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21.

The OPENVAS ENTERPRISE FEED includes a remote_banner check for CVE-2026-48282 and all other CVEs disclosed in Adobe’s APSB26-68 advisory affecting Adobe ColdFusion. Grabbing a copy of OPENVAS SCAN with a free two-week trial of the OPENVAS ENTERPRISE FEED is a surefire way to gain the deepest insight into where software vulnerabilities exist in your organization’s IT infrastructure.

 

Contact Test Now Buy Here Back to Overview
13. July 2026/by Joseph Lee
https://www.greenbone.net/wp-content/uploads/greenbone-logo-2025.png 0 0 Joseph Lee https://www.greenbone.net/wp-content/uploads/greenbone-logo-2025.png Joseph Lee2026-07-13 14:55:492026-07-13 14:55:49CVE-2026-48282: CVSS 10 Flaw in Adobe ColdFusion Is Actively Exploited and More
Joseph Lee

June 2026 Threat Report: Technical Debt Demands Visibility

Blog

June 2026 Threat Report: technical debt demands visibility

The true impact that cyber security aware AI will have on the global threat landscape remains to be seen. By some reports, the CVE output for software made by major vendors is on the rise. This June 2026 threat report only scratches the surface of the major cyber security threats from this month. The month brought a concentrated wave of actively exploited enterprise vulnerabilities, with CISA logging multiple new additions to its Known Exploited Vulnerabilities (KEV) catalog throughout the month. At least one new critical perimeter network exploit was tied to an active ransomware affiliate.

Greenbone’s vulnerability coverage extends far beyond major, headline-grabbing IT security events, such as the ones in this monthly threat report, and keeps pace with the onslaught of AI driven disclosures. Grabbing a copy of OPENVAS SCAN with a free two-week trial of the OPENVAS ENTERPRISE FEED is a surefire way to gain the deepest insight into where software vulnerabilities exist in your organization’s IT infrastructure.

Here are some of the top emerging threats to enterprise IT security from June 2026.

CVE-2026-20253: Unauthenticated RCE in Splunk Enterprise Actively Exploited

CVSS 9.8 · CriticalActively exploitedIn CISA KEVPublic PoC

CVE-2026-20253 (CVSS 9.8, EPSS ≥ 95th pctl) allows an unauthenticated remote attacker to create or truncate arbitrary files in Splunk Enterprise 10.2 before 10.2.4 and 10.0 before 10.0.7. The flaw is due to missing authentication [CWE-306] on a PostgreSQL sidecar service endpoint. Splunk confirmed limited in-the-wild exploitation, and CISA has added the flaw to KEV. A full technical description with PoC exploit code has been published by WatchTowr demonstrating unauthenticated RCE. Shadowserver tracked more than 1,400 internet-exposed Splunk instances.

CVE-2026-20253 is patched in Splunk Enterprise 10.2.4 and 10.0.7, and customers should upgrade immediately. If patching is not possible, exploitation can be prevented by disabling the PostgreSQL sidecar service. However, disabling the service may disrupt Edge Processor, OpAmp, or SPL2 data pipelines. The OPENVAS ENTERPRISE FEED includes a remote analysis check and a separate remote banner check to identify affected instances.

CVE-2026-28318: SolarWinds Serv-U Exploited in DoS Attacks

CVSS 7.5 · HighActively exploitedIn CISA KEVPublic PoC

CVE-2026-28318 (CVSS 7.5, EPSS ≥ 60th pctl) allows an unauthenticated remote attacker to cause a denial of service (DoS) in SolarWinds Serv-U Managed File Transfer and FTP Server. CISA added the flaw to its KEV catalog; however, no campaign attribution has been made. A technical description has been published. Exploitation is achieved by simply including the Content-Encoding: deflate request header and can crash the Serv-U service. The flaw is caused by uncontrolled resource consumption [CWE-400] in crafted HTTP POST request handling.

There is significant risk of operational disruption to exposed file transfer servers used in regulated sectors such as healthcare, finance, and government. Exposed Serv-U instances were originally reported to be more than 12,000 by Shodan and roughly 3,000 by Shadowserver. However, Shodan detection had since fallen to less than 10,000 by the end of June.

SolarWinds advises customers to install Serv-U 15.5.4 Hotfix 1 immediately. If patching cannot be done right away, users can block POST requests containing the Content-Encoding: deflate header without losing any functionality. The OPENVAS ENTERPRISE FEED includes a remote banner check to detect vulnerable instances.

Living on the Edge: Emerging Threats to Perimeter Security

Vulnerabilities in network perimeter devices are particularly high risk because they are exposed to attack by arbitrary remote attackers. According to the latest Verizon DBIR 2026 report, exploiting publicly exposed software vulnerabilities is now the most common vector for initial access globally. Here are some of the most critical emerging threats to perimeter devices in June 2026.

CVE-2026-50751: Check Point Security Gateway Exploited in Ransomware Attacks

CVSS 9.3 · CriticalActively exploitedIn CISA KEVPublic PoCRansomware-linked

CVE-2026-50751 (CVSS 9.3, EPSS ≥ 98th pctl) and CVE-2026-50752 (CVSS 7.4, EPSS ≥ 90th pctl) affect Check Point VPN Remote Access, Mobile Access, Security Gateways, and Spark Firewalls. CVE-2026-50751 is being actively exploited with at least one post-compromise case linked to a Qilin ransomware affiliate. CISA has added CVE-2026-50751 to its KEV catalog. The first attacks were observed on May 7, 2026. A few dozen organizations have been targeted globally. PoC exploit code and a full technical description are publicly available for CVE-2026-50751. CVE-2026-50752 is not reported as actively exploited.

The CVEs are described below:

  • CVE-2026-50751 (CVSS 9.3, EPSS ≥ 98th pctl): Unauthenticated remote attackers can establish VPN access through a logic-flow and certificate-validation weakness in IKEv1 deployments.
  • CVE-2026-50752 (CVSS 7.4, EPSS ≥ 90th pctl): Could allow unauthenticated attackers to conduct adversary-in-the-middle attacks against VPN site-to-site connections.

Check Point has published recommendations for removing support for legacy protocols, upgrading affected instances to fixed versions, and provides additional security hardening advice [1][2]. The OPENVAS ENTERPRISE FEED includes remote banner detection for Gaia, Check Point’s unified security OS for Security Gateways, Security Management products, Software Blades, Check Point appliances, and Open Servers. Check Point Gaia version R80.20, R80.40, R81, R81.10, R81.20, R82, and R82.10 are affected.

Three CVSS 10 Flaws in Ubiquiti UniFi OS Allow Unauthenticated RCE

CVSS 10 · CriticalExploited as zero-dayIn CISA KEV

Three new CVSS 10 flaws affecting UniFi OS systems have been published and added to CISA’s KEV list. The flaws collectively allow attackers to modify underlying operating-system files and accounts, and execute commands. User reports indicate the flaws were likely exploited as zero-days to create rogue administrator accounts. Risk is elevated because UniFi OS devices centrally manage network infrastructure, making successful compromise a potential path for lateral movement into enterprise environments.

The CVEs are described below:

  • CVE-2026-34908 (CVSS 10): An attacker with network access can exploit an improper access control vulnerability [CWE-284] in UniFi OS devices to make unauthorized changes to the system.
  • CVE-2026-34909 (CVSS 10): An attacker with network access can exploit a path traversal vulnerability [CWE-22] in UniFi OS devices to access and manipulate files on the underlying system and access underlying accounts.
  • CVE-2026-34910 (CVSS 10): An attacker with network access can exploit an improper input validation vulnerability [CWE-20] in UniFi OS devices to execute command injection attacks.

Bishop Fox published a full technical analysis showing that CVE-2026-34908 and CVE-2026-34909 form an authentication gateway bypass caused by crafted NGINX request handling. Exploitation exposes internal routes and enables command injection via CVE-2026-34910.

Exploitation of all aforementioned CVEs has been validated against UniFi OS version 5.0.6. Ubiquiti fixed the vulnerabilities in UniFi OS Server version 5.0.8, released on May 21, 2026. No workarounds are available. The OPENVAS ENTERPRISE FEED includes a remote vulnerability check and remote banner check for Ubiquiti UniFi OS on various devices and an additional remote vulnerability check and remote banner check for Ubiquiti UniFi OS Server version 5.0.6 and prior.

Squidbleed (CVE-2026-47729) Memory Leak Has Public PoC

CVSS 6.5 · MediumPublic PoCNo ITW exploitation

CVE-2026-47729 (CVSS 6.5), also known as Squidbleed, allows an authorized Squid proxy user to leak another user’s cleartext HTTP request data. The flaw is caused by a heap over-read in the FTP directory-listing parser. Leaked data may include credentials, session tokens, API keys, and Authorization headers. Public proof-of-concept exploit code and a full technical description are available. However, in-the-wild exploitation has not been reported. Surprisingly, despite having a GitHub Security Advisory referencing the CVE by ID, CVE-2026-47729 has not been published to MITRE’s CVE.org or NIST NVD as of July 1st, 2026.

The flaw affects shared proxy environments where Squid can inspect cleartext HTTP or terminate TLS altogether, and all Squid versions dating back to a 1997 FTP parser change. Exploitation requires the Squid instance to be able to reach an attacker-controlled FTP server on TCP port 21. The flaw is fixed in the Squid 7.6 June 2026 release but can also be mitigated by disabling FTP support if not required. The OPENVAS ENTERPRISE FEED includes package-level detection for Linux distributions that have issued security advisories and a remote banner detection for affected versions of Squid proxy.

CVE-2026-10520 and CVE-2026-10523 in Ivanti Sentry

CVSS 10 · CriticalActively exploitedIn CISA KEVPublic PoC

CVE-2026-10520 (CVSS 10) and CVE-2026-10523 (CVSS 9.8) allow a remote, unauthenticated attacker to achieve root-level RCE and create arbitrary administrative accounts in Ivanti Sentry. CVE-2026-10520 has been added to CISA’s KEV catalog after reported exploitation attempts against honeypots. watchTowr published a full technical analysis including a public PoC exploit. Shadowserver reported large-scale exploitation of CVE-2026-10520, identifying 19 vulnerable instances in its scans with at least two identified as compromised.

  • CVE-2026-10520 (CVSS 10): An OS command injection vulnerability [CWE-78] allows a remote, unauthenticated user to achieve root-level remote code execution.
  • CVE-2026-10523 (CVSS 9.8): An authentication bypass vulnerability [CWE-288] allows a remote, unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access.

Exploitation requires access to the management port 8443. Affected versions include Ivanti Sentry 10.5.1, 10.6.1, 10.7.0, and prior versions, with fixes available in 10.5.2, 10.6.2, and 10.7.1. Greenbone’s OPENVAS ENTERPRISE FEED includes an active check and a remote banner check that cover both CVEs.

The HTTP/2 Bomb: DoS against All Major Web Servers

CVSS 7.5 · HighPublic PoCMulti-vendor DoS

HTTP/2 Bomb is a remote, unauthenticated denial-of-service (DoS) technique against HTTP/2 server implementations. The flaw affects the default HTTP/2 configurations in Apache HTTP Server, NGINX, Microsoft IIS, Envoy Proxy, and Cloudflare Pingora, among other digital products that package them. A detailed technical write-up is available, and Calif’s HTTP/2 Bomb companion repository lists self-contained per-server PoCs and Docker labs for major affected web servers, increasing the risk. HTTP/3 is not reported as directly vulnerable to the current HTTP/2 Bomb technique.

The exploit uses legitimate HTTP/2 features in a way the HPACK header compression spec did not constrain. Affected web servers failed to enforce the extra limits needed to make those features safe. Exploitation has a reported memory amplification of between 70:1 and 5.7K:1 and allows consuming 32 GB to 64 GB of server memory within seconds. The root cause is flawed HTTP/2 request handling, where HPACK-driven cookie expansion triggers excessive memory allocation and data amplification. Calif.io also states that the deeper root cause is a protocol specification issue. The major products related to HTTP/2 Bomb are described below:

  • CVE-2026-49975 (CVSS 7.5) — Apache HTTP Server mod_http2: Apache HTTP Server versions 2.4.17 through 2.4.67 are affected and the issue is fixed in Apache HTTP Server version 2.4.68.
  • CVE-2026-47774 (CVSS 7.5) — Envoy Proxy: Envoy versions before 1.35.11, 1.36.7, 1.37.3, and 1.38.1 are affected.
  • CVE-2026-49160 (CVSS 7.5) — Microsoft HTTP.sys / IIS: Affects Microsoft HTTP.sys, the Windows HTTP stack used by IIS and other Windows HTTP services. Microsoft addressed the issue in its June 9th, 2026 security updates.
  • No CVE assigned — nginx: All nginx versions before 1.29.8 are affected and the issue is fixed in nginx 1.29.8. Red Hat states that upstream nginx did not assign a CVE for HTTP/2 Bomb.

Quang Luong of Calif.IO attributes the discovery of HTTP/2 Bomb to OpenAI Codex. Many additional CVEs are expected to emerge as hardware and software vendors patch their products. Greenbone includes numerous vulnerability tests to detect HTTP/2 Bomb across a wide range of Linux distributions and other affected products. This includes detection for affected Apache HTTP Server products (CVE-2026-49975), Envoy Proxy (CVE-2026-47774), Microsoft IIS (CVE-2026-49160), and nginx despite the lack of CVE coverage.

Multiple Critical Flaws in SAP SE and SAP NetWeaver AS ABAP, and ABAP Platform

CVSS 9.9 · CriticalNo known exploitationPatch available

Three new critical flaws affecting SAP products have been published. Collectively, the flaws impact NetWeaver AS ABAP and ABAP Platform, SAP NetWeaver Application Server Java Web Container, SAP Commerce Cloud, and SAP Data Hub. Risk is elevated because the flaws can allow unauthorized access, sensitive data exposure, file modification, application crashes, memory corruption, arbitrary code execution, and connection hijacking without user interaction in several cases. No active exploitation has been observed in the wild. Public PoC exploits or a full public exploit chain are not available. Mitigate by applying SAP’s June 2026 Security Patch Day updates immediately.

Details on the three CVEs are included below:

  • CVE-2026-44748 (CVSS 9.9): An authenticated attacker with normal privileges can obtain a valid signed message and send modified signed XML documents to the verifier. This can result in acceptance of tampered identity information, leading to unauthorized access to sensitive user data and disruption of normal system usage. SAP NetWeaver AS ABAP version 7.02, 7.31, 7.40, 7.50, 7.51, 7.52, 7.53, 7.54, 7.55, 7.56, 7.57, 7.58, 8.16, 9.18, and 9.19 are affected. The OPENVAS ENTERPRISE FEED includes a remote banner check to identify affected instances.
  • CVE-2026-27671 (CVSS 9.8): Due to improper RFC protocol validation in the SAP Kernel, an unauthenticated attacker can send a crafted RFC request that exploits logical errors in memory management, leading to memory corruption. SAP NetWeaver AS ABAP version 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.16, 9.18, and 9.19 are affected. The OPENVAS ENTERPRISE FEED includes a remote banner check to identify affected instances.
  • CVE-2026-40128 (CVSS 9.0): An unauthenticated attacker can craft a malicious HTTP logon request that manipulates file inclusion parameters. Exploitation enables path traversal and processing of the included file and allows the attacker to view or modify sensitive information or render any part of the local system unavailable. SAP NetWeaver AS Java version 7.50 is affected. The OPENVAS ENTERPRISE FEED includes a remote banner check to identify affected instances.

Summary

June 2026 underscored accelerating enterprise risk from actively exploited flaws in Splunk, SolarWinds Serv-U, Check Point gateways, Ubiquiti UniFi OS, Ivanti Sentry, Squid, HTTP/2 implementations, and SAP platforms. Public PoCs, KEV listings, ransomware links, and exposed internet-facing assets reinforce the need for rapid patching, compensating controls, and continuous vulnerability detection across perimeter and core infrastructure.

Greenbone’s OPENVAS BASIC is available free of charge and includes a two-week trial of the OPENVAS ENTERPRISE FEED — giving your security team immediate access to automated vulnerability detection for the CVEs covered in this report and tens of thousands more. Start your free trial today.

 

Contact Test Now Buy Here Back to Overview
9. July 2026/by Joseph Lee
https://www.greenbone.net/wp-content/uploads/greenbone-logo-2025.png 0 0 Joseph Lee https://www.greenbone.net/wp-content/uploads/greenbone-logo-2025.png Joseph Lee2026-07-09 15:05:342026-07-09 15:24:53June 2026 Threat Report: Technical Debt Demands Visibility
Greenbone AG

Sovereignty was a promise. Now it’s becoming a test criterion.

Blog

EU as a symbol of digital sovereignty – Greenbone explains the CADA sovereignty levels

On June 3, 2026, the European Commission proposed the Cloud and AI Development Act (CADA)—the centerpiece of its new Tech Sovereignty Package. At its core: a four-tier model that public contracting authorities will use in the future to assess how sovereign a cloud provider truly is—not just where the data is located, but who owns the provider, who controls it, and which legal system it is subject to.

CADA is still a proposal, not yet law, but the direction is remarkably clear. Commission Vice President Henna Virkkunen has stated publicly that providers subject to the U.S. CLOUD Act will face structural difficulties in reaching the top two levels—regardless of where their data centers are located in Europe. The CLOUD Act allows U.S. authorities to access data from U.S. companies, no matter where in the world that data is located. Anyone subject to this law can hardly credibly promise “no influence by a third country.” That is precisely the test for Level 4.

The four levels, briefly explained

An overview of the four CADA sovereignty levels

L1

EU Location

Data and infrastructure are located in the EU. No additional requirements regarding ownership, personnel, or the software supply chain.

✓ Available to U.S. hyperscalers with an EU region

L2

Independence & Transparency

Additionally: verifiable independence from third countries and transparency throughout the entire software supply chain.

⚠ Depends on ownership structure and transparency requirements

L3

EU Ownership & EU Control

The provider must be based in the EU, EU-owned, and under EU control—including requirements regarding the citizenship of its staff.

✗ Structurally unfeasible under the U.S. CLOUD Act

L4

Complete digital sovereignty

Full transparency and control over the entire software supply chain, with no influence from third countries. The highest degree of digital independence recognized by the regulatory framework.

✗ Structurally unachievable under the U.S. CLOUD Act

Why this doesn’t end with cloud infrastructure

CADA is explicitly written for the public procurement of cloud services. But the underlying question is not specific to the cloud. It is: Who controls the software running in critical infrastructure—and to which legal system is that party accountable?

This question applies with equal validity to every security-critical software component. And hardly any component sits deeper at the heart of IT security architecture than the vulnerability management system, which knows where every vulnerability in a country’s infrastructure lies.

Who supplies this software, who controls it, and who—in case of doubt—could be forced to grant access or remain silent—this is no longer an academic question. It is the very question that CADA is now making binding for cloud providers.

Applying this standard: Where does Greenbone stand?

We are not a cloud provider as defined by CADA and will therefore not be “CADA-certified.” But if you apply the same criteria to an IT security system, a clear picture emerges:

  • Control & Legal System: Greenbone is a company founded in Germany and firmly rooted in Europe. We are subject to German and European law, not the U.S. CLOUD Act.
  • Staff: Our development and operations team is based in Germany and the EU.
  • Software Supply Chain: OPENVAS is open source. Not “auditable upon request”—but fully transparent to everyone, at any time. This is a stronger position than “auditable software,” as required by CADA for Levels 2/3.
  • Disclosure Requirements: Because we are not subject to U.S. law, there is no legal framework through which we could be forced into tacit cooperation with third-country authorities—the kind of “hidden disclosure” that CADA aims to protect against.

Many established companies are based in the U.S. This structural reality is what makes CADA measurable for the first time. An EU data center region does not change this as long as the parent company is subject to the CLOUD Act.

What this means for you

CADA is not yet in effect. But for the first time, the Commission has precisely defined what “digital sovereignty” actually means—in four verifiable stages rather than in marketing jargon. For government agencies, KRITIS operators, and public contracting authorities, this will likely become a requirement in their specifications.

Those who are already built on this foundation today won’t have to migrate tomorrow.

 

Contact Try for Free Buy Here Back to Overview
8. July 2026/by Greenbone AG
https://www.greenbone.net/wp-content/uploads/greenbone-logo-2025.png 0 0 Greenbone AG https://www.greenbone.net/wp-content/uploads/greenbone-logo-2025.png Greenbone AG2026-07-08 11:28:562026-07-08 11:28:56Sovereignty was a promise. Now it’s becoming a test criterion.
Greenbone AG

The Missing Handoff: How KIX and Greenbone Turn Vulnerability Scans Into Action

Blog

Greenbone, home of OPENVAS, and KIX Service Software

For the first time, attackers are exploiting unpatched vulnerabilities more often than they’re stealing credentials. According to Verizon’s 2026 Data Breach Investigations Report, vulnerability exploitation now accounts for 31% of breaches, ahead of credential theft at 13%. And the gap is moving in the wrong direction for defenders: the median time to fully patch a vulnerability climbed to 43 days, up from 32 the year before, while organizations patched only 26% of the vulnerabilities on CISA’s Known Exploited Vulnerabilities list, down from 38% in 2024 (we broke down what’s driving this shift here).

Scanners aren’t the bottleneck here. Finding a vulnerability and actually fixing it have turned into two separate problems, and the second one is losing ground.

Two trend charts: median time to fully patch a vulnerability rose from 32 days in 2025 to 43 days in 2026, while the share of known exploited vulnerabilities actually patched fell from 38 percent in 2024 to 26 percent in 2026.

Median time to fully patch a vulnerability
2025
 
32 days
2026
 
43 days
+11 days, 34% slower
Known exploited vulnerabilities actually patched
2024
 
38%
2026
 
26%
−12 points
Source: Verizon 2026 Data Breach Investigations Report

Detection was never the hard part

Greenbone’s OPENVAS has spent nearly two decades getting good at the first half: scanning a network, identifying what’s exposed, and scoring how dangerous it is. Elmar Geese, Greenbone’s CEO, likes to compare it to a swarm of robots checking every door and window in a house. They’re fast and thorough, and when they find a broken lock, they sound the alarm.

But an alarm only matters if someone acts on it. In most organizations, that’s where things stall. A scan result lands in a report, or an inbox, or a spreadsheet nobody opens until the next audit. Someone has to read it, work out what it actually means for their specific systems, decide who owns the fix, and turn that into a tracked piece of work with a deadline. That step requires security expertise that not every IT team has sitting around, and it’s exactly where things get lost: severity gets misjudged, tickets get duplicated or never created, ownership gets argued over after the fact instead of decided up front.

This is the part of vulnerability management that doesn’t show up in scanner marketing, but it’s where most of the real delay lives.

What the integration actually changes

KIX CEO Rico Barth puts it simply: the partnership closes the gap “between the detection and the resolution of vulnerabilities.” That gap is where a security finding used to need a translator. Now it doesn’t.

KIX, the open-source ITSM platform, and Greenbone have built a direct line between the two halves of the problem. When OPENVAS flags a vulnerability, it doesn’t generate a report and stop there. It opens a ticket in KIX automatically: classified as a security incident, tied to the specific device or software it affects, and sent to the team that owns that asset. The fix-it workflow, with deadlines, reminders, and escalations, starts the moment the vulnerability is confirmed, not whenever someone gets around to reading the scan output.

It also means an IT admin opening a ticket isn’t starting from zero. The asset, the affected system, who needs to be told, and how this fits into everything else currently open are all sitting right there. Nobody has to cross-reference three different tools to figure out what’s actually going on.

Flow diagram showing urgency decreasing as a vulnerability moves from detection, in red, to an automatically created ticket, in amber, to tracked resolution, in green.

Vulnerability detected
Flagged the moment a scan completes
 
 
 
Ticket auto-created
Classified and linked to the asset
 
 
 
Tracked to resolution
Deadlines, reminders, and escalation

The bonus nobody asked for: finding the stuff you didn’t know you had

There’s a side effect that turns out to matter almost as much as the ticketing itself. OPENVAS scans more than the systems IT already knows about. It finds the laptop a department bought without asking IT, or the server someone spun up two years ago and forgot about. That inventory now flows straight into KIX’s asset database.

Shadow IT is usually framed as a policy problem. In practice, it’s a visibility problem that gets worse as networks grow. Greenbone customers are routinely surprised by what shows up the first time their environment gets properly scanned. Folding that discovery into the same system that already handles tickets and ownership means an unknown device gets absorbed into the normal IT process right away, instead of sitting in its own blind spot.

Why this matters more given who’s actually doing the work

IT and security teams are stretched thin almost everywhere, and the manual interpretation step in vulnerability management has always assumed there’s enough specialized staff to do it well. That assumption is getting shakier every year. Take away the step where a human has to manually triage, classify, and route every finding, and smaller or generalist IT teams no longer need to borrow security expertise they didn’t have in-house just to keep up.

It also helps with something that eats more time than it should: proving you did the work. Documentation, deadlines, and resolution history land automatically in KIX, which makes audits against frameworks like NIS-2, ISO 27001, or BSI-Grundschutz considerably less painful, since the evidence trail already exists instead of getting reconstructed after the fact.

Try it where it counts

If your team is running OPENVAS and KIX separately today, or evaluating either one, this integration is worth a closer look specifically because it removes a step rather than adding one. Get in touch with us to see how the handoff from scan to fix works in your own environment, and what it would take to set up. And if you’re not scanning with OPENVAS yet, OPENVAS BASIC is a reasonable place to start before connecting the rest.

KIX Service Software logoAbout KIX Service Software

KIX develops and markets the IT service management software of the same name, one of the leading open-source ITSM systems on the market. Founded in 2006, the company employs more than 50 people across Germany and serves over 400 customers across industries for IT service management and technical support. More at kixdesk.com.

Greenbone logoAbout Greenbone

Greenbone develops OPENVAS, the most widely used open-source solution for vulnerability management, with more than 100,000 installations worldwide. Founded in 2008 and based in Osnabrück, Greenbone focuses on proactive IT security and data sovereignty through fully on-premises deployment. Greenbone is certified to ISO 9001, ISO 27001, and ISO 14001. More at greenbone.net.

 

Contact Test Now Buy Here Back to Overview
7. July 2026/by Greenbone AG
https://www.greenbone.net/wp-content/uploads/greenbone-logo-2025.png 0 0 Greenbone AG https://www.greenbone.net/wp-content/uploads/greenbone-logo-2025.png Greenbone AG2026-07-07 08:38:382026-07-07 10:38:33The Missing Handoff: How KIX and Greenbone Turn Vulnerability Scans Into Action
Joseph Lee

Cisco Enterprise Devices: More Critical Flaws and Active Exploitation in June 2026

Blog

Cisco products have been battered in 2026 by critical-severity, actively exploited vulnerabilities in recent months [1][2][3][4][5][6][7][8][9]. Recently exploited Catalyst SD-WAN Manager and Controller flaws include CVE-2026-20133 (CVSS 7.5, EPSS >= 95th pctl), CVE-2026-20128 (CVSS 7.8, EPSS >= 90th pctl), CVE-2026-20122 (CVSS 5.4, EPSS >= 93rd pctl), CVE-2026-20127 (CVSS 10, EPSS 99th pctl), and CVE-2026-20182 (CVSS 10, EPSS >= 99th pctl). In total, eleven Cisco vulnerabilities have appeared in CISA’s Known Exploited Vulnerabilities (KEV) catalog this year.

SD-WAN platforms are attractive to cyber adversaries because they centralize routing, policy enforcement, network visibility, and administrative control across enterprise IT environments. Repeated exploitation of SD-WAN flaws indicates that attackers are prioritizing network infrastructure targets that can support traffic manipulation [T1565.002], lateral movement [TA0008], persistence [TA0003], and broader operational impact including ransomware attacks.

Greenbone’s OPENVAS ENTERPRISE FEED has detection for all CVEs discussed in this blog post and includes a dedicated family for detecting Cisco security vulnerabilities. Here are the top new emerging threats affecting Cisco products from June 2026:

More critical Cisco flaws and active exploitation in June 2026

More critical Cisco flaws
and active exploitation

CVE-2026-20245 and CVE-2026-20262: New Flaws in Catalyst SD-WAN Actively Exploited

CVE-2026-20245: Authenticated Command Execution with Root-Level Privileges

CVE-2026-20245 (CVSS 7.8, EPSS >= 57th pctl), published on June 4, 2026, allows an authenticated local attacker with netadmin privileges to execute arbitrary commands as root on Cisco Catalyst SD-WAN Controller, Manager, and Validator. The root cause is insufficient validation of user-supplied input in uploaded files [CWE-20]. According to Mandiant, attackers used stolen credentials in tandem with CVE-2026-20245 to gain root-level access via a malicious CSV upload.

CVE-2026-20245 affects Cisco Catalyst SD-WAN Controller, Cisco Catalyst SD-WAN Manager, and Cisco Catalyst SD-WAN Validator across all deployment types, including on-premises, Cisco SD-WAN Cloud-Pro, Cisco-managed SD-WAN Cloud, and Cisco SD-WAN for Government. Cisco has released fixes in Catalyst SD-WAN releases 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, and 26.1.1.2. There are no workarounds, and Cisco recommends upgrading to a fixed release after preserving logs and collecting admin-tech files for compromise review.

CVE-2026-20262: Authenticated File Creation with Attack Chain for Root-Level Compromise

CVE-2026-20262 (CVSS 6.5, EPSS >= 63rd pctl), published on June 15, 2026, allows an authenticated remote attacker with valid low-privileged write access to create or overwrite files on Cisco Catalyst SD-WAN Manager systems. The flaw is caused by improper pathname restriction during file upload [CWE-22]. Cisco confirmed limited exploitation activity in June 2026, and CISA has added CVE-2026-20262 to its KEV catalog. There is no indication of a public PoC exploit or detailed third-party technical analysis.

According to Cisco, attackers can obtain the required privileges through valid credentials or prior exploitation of CVE-2026-20182 (CVSS 10) or CVE-2026-20127 (CVSS 10), and the vendor’s official advisory describes limited cases where exploitation pushed configuration changes to edge devices. Internet-exposed Catalyst SD-WAN Manager systems are at higher risk because exploitation can upload suspicious WAR or JSP files, deploy malicious code, and potentially support follow-on activity that leads to root-level compromise.

Cisco Catalyst SD-WAN Manager was affected regardless of device configuration across on-premises, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP) deployments. Cisco fixed the issue in Catalyst SD-WAN Manager releases 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, and 26.1.1.2. There are no workarounds for CVE-2026-20262, so mitigation requires upgrading to a fixed release. The OPENVAS ENTERPRISE FEED includes a remote banner check for identifying devices affected by CVE-2026-20262.

CVE-2026-20230: Unified Communications Manager Actively Exploited via Unauthenticated HTTP Requests

CVE-2026-20230 (CVSS 8.6, EPSS 42nd pctl), published on June 3, 2026, allows an unauthenticated remote attacker to exploit Cisco Unified Communications Manager and Unified CM Session Management Edition through a WebDialer server-side request forgery flaw [CWE-918]. The root cause is improper input validation of HTTP requests. Exploitation requires WebDialer to be enabled, which is disabled by default. However, successful attacks can write files to the underlying OS and support later privilege escalation to root-level.

CISA has added CVE-2026-20230 to its KEV list, making it the second known actively exploited CVE in Cisco Unified Communications Manager in 2026. Reports indicate the vulnerability is being used to drop web shells [T1505.003] for remote code execution (RCE). Public PoC exploit code and a full technical description have been released by SSD Secure Disclosure.

Cisco released fixes for Unified CM and Unified CM SME 14SU6 and 15SU5 or COP1, noted there are no workarounds, and recommends disabling WebDialer as a temporary mitigation until patching is complete. The OPENVAS ENTERPRISE FEED includes package-level detection for CVE-2026-20230.

Two Critical Flaws in Cisco ISE — One Allows Root-Level RCE

CVE-2026-20181 (CVSS 9.1, EPSS 43rd pctl) and CVE-2026-20190 (CVSS 7.5, EPSS 29th pctl), published on June 17, 2026, allow RCE, privilege escalation, denial of service (DoS), and information disclosure in Cisco Identity Services Engine and Cisco ISE Passive Identity Connector. Active exploitation has not been reported and PoC exploit code or detailed technical analysis are not yet available.

CVE-2026-20181 allows an authenticated administrator to exploit HTTP requests to gain user-level OS access and escalate to root-level privileges. CVE-2026-20190 allows an unauthenticated attacker to access sensitive information, including hashed credentials that could support follow-on attacks if those credentials can be cracked. Both flaws affect Cisco ISE and ISE-PIC regardless of device configuration. In single-node deployments, CVE-2026-20181 can make the ISE node unavailable, preventing authentication by other endpoints until the node is restored.

Cisco states that there are no workarounds for either vulnerability, so affected customers should upgrade or apply the available hot patch where applicable. See Cisco’s advisory for specific affected versions and upgrade instructions. The OPENVAS ENTERPRISE FEED includes package-level detection for both CVE-2026-20181 and CVE-2026-20190 [1][2].

Summary

Cisco faced another wave of enterprise security threats to its products in June 2026 amid an ongoing barrage. Emerging threats include new actively exploited Catalyst SD-WAN and Unified Communications Manager vulnerabilities, plus critical Cisco ISE flaws. The issues enable root-level command execution, file creation, SSRF attacks, credential exposure, and DoS, as well as potential follow-on attacks if credentials are cracked. Greenbone’s OPENVAS ENTERPRISE FEED has detection for all CVEs discussed in this blog post and includes a dedicated family for detecting Cisco security vulnerabilities. Defenders can try Greenbone’s flagship OPENVAS BASIC for free, including a two-week trial of the OPENVAS ENTERPRISE FEED.

Contact Test Now Buy Here Back to Overview
1. July 2026/by Joseph Lee
https://www.greenbone.net/wp-content/uploads/greenbone-logo-2025.png 0 0 Joseph Lee https://www.greenbone.net/wp-content/uploads/greenbone-logo-2025.png Joseph Lee2026-07-01 13:09:312026-07-01 13:09:31Cisco Enterprise Devices: More Critical Flaws and Active Exploitation in June 2026
Greenbone AG

The 5 Stages of Vulnerability Management Maturity

Blog

Effective vulnerability management does not begin and end with scanning. To be effective, vulnerability management requires a solid understanding of both scanner technology and your IT infrastructure. Operationally, vulnerability management depends on having reliable and repeatable processes, well-defined ownership, integration with day-to-day IT operations, and strategic governance.

Every organization exists at a different stage of VM maturity. Some are just beginning to introduce vulnerability scanning. Others have established operational processes but lack structured prioritization, remediation tracking, or business alignment. The most mature organizations treat vulnerability management as an essential security control for mitigating exposure to emerging threats and reducing overall business risk.

A vulnerability management maturity model provides a structured way to assess the current state of your organization’s program. It helps security, IT, and business stakeholders understand where their security posture stands today, identifies “blockers” limiting progress, and defines next steps toward a more effective and sustainable vulnerability management process.

In this article, we will review a structured model for defining VM maturity. The model defines 5 levels of maturity and explains how to identify where your organization sits within the model. It also describes the limitations that each level imposes on resilient operational cyber security.

Also interesting: Key Performance Indicators (KPI) for Measuring Vulnerability Management Performance

Understanding the 5 Stages of Vulnerability Management Maturity

Vulnerability management maturity can be divided into five levels. Each level reflects a different stage of discipline, operational capability, organizational involvement, and governance maturity. Organizations typically progress from basic technical scanning toward a risk-driven security program that is integrated into IT operations and continuously improved based on measurable KPI outcomes.

  1. Ad-hoc
  2. Repeatable / Operational
  3. Defined / Managed
  4. Integrated / Controlled
  5. Optimized / Strategic

Stage 1 – Ad-hoc

At the Ad-hoc stage, vulnerability management is typically a brand new activity to an organization, or being performed inconsistently. Scanning is not formally scheduled, and there are no documented security processes. The organization may have a scanning tool installed, but scan coverage is unmeasured and results are not systematically used to drive remediation.

The informal mindset at this stage is often: “We’ll scan it somehow.” While this attitude and raw effort may provide some initial visibility, it does not constitute a reliable vulnerability management program.

The Limitations of an Ad-hoc / Initial Security Program

The main limitation at this stage is the absence of structure. Without a complete asset inventory, an organization doesn’t know if critical systems are being scanned. Without a defined scope or schedule, scanning activity remains an afterthought. Without clear ownership, discovered vulnerabilities may not be communicated to the correct teams for remediation.

Common limitations include:

  • No complete asset inventory
  • No defined scan scope or schedule
  • No ownership or responsibilities
  • No reporting or KPIs
  • No structured remediation process

Stage 2 – Repeatable / Operational

At the Repeatable / Operational stage, vulnerability scanning is more consistent. Regular scans are performed, basic operational stability exists, and the organization has initial visibility into vulnerabilities across part of its environment. This level represents an important transition from informal activity to repeatable execution. An organization now reliably performs scans on a recurring basis, and some responsibilities for the vulnerability management program have been assigned, such as administrator or technical owner.

An organization may be scanning systems regularly, but it has not yet established a fully managed process for auditing, prioritizing, tracking, and remediating vulnerabilities.

The Limitations of a Repeatable / Operational Security Program

This Repeatable / Operational stage is still primarily technical. The main limitation at this stage is that vulnerability data is not yet effectively managed through a structured lifecycle. Organizations know where vulnerabilities exist, but lack a formal process for deciding which issues matter most, who should fix them, and by when. Governance is limited to basic reporting, without KPI-driven management or formal performance targets.

Common limitations include:

  • No structured prioritization
  • No defined remediation SLAs
  • Limited tracking of remediation
  • Weak cross-team collaboration

Stage 3 – Defined / Managed

At the Defined / Managed stage, vulnerability management becomes structured and measurable. An organization has established processes for identifying, prioritizing, remediating, and tracking vulnerabilities. Responsibilities are clearly assigned across relevant stakeholders, including IT and security teams. This level marks the point where vulnerability management becomes a managed operational process rather than a scanning activity.

An organization at this stage uses KPIs to measure performance, applies risk-based prioritization, and follows well-defined remediation workflows. Scan coverage is verified, and authenticated scanning is in place for defense in depth.

A Level 3 program can answer important management questions: Which vulnerabilities are most important? Who owns remediation? How long does remediation take? Are teams meeting defined targets? Where are recurring issues appearing?

The Limitations of a Defined / Managed Security Program

A program at this level is structured but not automated or deeply integrated. Processes are documented and measurable, but execution still depends largely on manual coordination. Integration of scanning infrastructure with IT operations, ticketing, patch management, or change management is non-existent or incomplete.

Common limitations include:

  • Limited automation
  • Weak integration into IT processes
  • Limited business alignment

Stage 4 – Integrated / Controlled

At the Integrated / Controlled stage, vulnerability management is firmly integrated into IT operations. The program is no longer managed as a separate security activity; it is integrated into the operational systems and workflows that control infrastructure, applications, patching, change management, incident response, and service management.

Processes at this stage are automated and scalable. Vulnerability findings can be converted into tickets, assigned to the correct owners, tracked through remediation, and measured against defined targets. Integrations with ITSM, SIEM, patch management, and related operational systems enable end-to-end visibility and control. Overall, an organization can manage vulnerability remediation with more consistency, accountability, and operational efficiency.

The Limitations of an Integrated / Controlled Security Program

The main limitation at this stage is a lack of strategic optimization. An organization has strong processes and integrations, but isn’t using vulnerability management data for feedback into long-term strategic planning, investment planning, or continuous optimization.

Common limitations include:

  • Limited strategic steering
  • Optimization potential not fully leveraged

Stage 5 – Optimized / Strategic

At the Optimized / Strategic stage, vulnerability management is risk-driven, continuously improving, and strategically aligned with business objectives. An organization not only treats vulnerabilities as technical defects; it evaluates them in the context of business risk, asset criticality, threat exposure, operational impact, and security strategy.

Continuous improvement is embedded into programs at this level. Metrics, remediation data, recurring vulnerability patterns, exception handling, and risk decisions are used to refine the vulnerability management process over time. Vulnerability management becomes part of a broader security governance and risk management capability.

The Limitations of an Optimized / Strategic Security Program

There are typically no major structural gaps at this maturity level. The program is stable, integrated, governed, and strategically aligned. Remaining limitations are considered optimization opportunities rather than foundational weaknesses.

Common optimization areas may include:

  • Refining risk models
  • Improving automation accuracy
  • Enhancing business context
  • Reducing remediation friction
  • Improving predictive and trend-based analysis

Summary

Vulnerability management maturity is about much more than whether an organization owns a scanning tool and how often scans are conducted. As organizations progress from Ad-hoc maturity to an Optimized / Strategic vulnerability management program, the process evolves from a technical one into a strategic security capability.

At its core, VM maturity is defined by how consistently an organization can identify vulnerabilities, prioritize them based on risk, assign ownership, track remediation, measure performance, and improve the process over time. An immature program provides occasional visibility, but cannot reliably guarantee that risk is reduced to an acceptable level. A highly mature program connects technology, process, organization, and governance into a controlled lifecycle.

Once an organization understands its existing maturity level, it can plan practical next steps. Asset coverage will improve, standards and process will be well understood by stakeholders, and well-defined ownership and SLAs will ensure reliable and effective results. The overall result is a strategic reduction in business risk.

Contact Test Now Buy Here Back to Overview
26. June 2026/by Greenbone AG
https://www.greenbone.net/wp-content/uploads/greenbone-logo-2025.png 0 0 Greenbone AG https://www.greenbone.net/wp-content/uploads/greenbone-logo-2025.png Greenbone AG2026-06-26 09:33:262026-06-29 10:09:57The 5 Stages of Vulnerability Management Maturity
Greenbone AG

Cyber Resilience Act and Open Source Software: What Software Vendors and Stewards Need to Know

Blog

The CRA’s scope for open-source software (OSS) was one of the most contested parts of the regulation. The OSS community raised legitimate concerns during the legislative process such as how should manufacturer obligations apply to non-commercial, volunteer-driven projects? The final regulation offers an answer, though how convincing that answer is depends on who you ask. Since March 2026, the European Commission’s (EC) first draft guidance has started to clarify the details.

For companies like Greenbone that both steward an open-source project (OPENVAS) and sell commercial products built on it, the answer is clear: full manufacturer obligations apply to the commercial side, and steward obligations apply to the open-source community activities. Knowing where those lines fall is important.

CVE-2025-20393-cisco-spam-filter

Open Source & CRA

The CRA’s Three-Tier Approach to Open-Source Software

Tier 1: Non-Commercial Open-Source Projects and Their Contributors (Out of Scope)

Free and open-source software (FOSS) developed and distributed in a purely non-commercial context (i.e. volunteers building software and sharing it freely, with no commercial intent or support model) does not impose CRA obligations on its creator or distributor. Only FOSS supplied in the course of a commercial activity falls in scope, and the EC’s draft guidance confirms that merely supplying non-monetized FOSS is not a commercial activity.

That said, “non-commercial” is still perhaps more narrowly defined than many projects assume. Accepting donations does not automatically make a project commercial. However, (EU) 2024/2847 Recital 15 states that “accepting donations exceeding the costs associated with the design, development and provision” does constitute commercial activity. The EC’s draft CRA guidance and (EU) 2024/2847 Recital 18 also state that the CRA does not apply to individuals or companies that merely contribute source code to FOSS projects that are not under their responsibility.

Tier 2: Open-Source Software Stewards (Lighter Obligations)

The CRA introduces the legal definition of an “open-source software steward”: a legal person that provides sustained, systematic support for the development of open-source products intended for commercial activities, or ensures those products’ viability. This covers software foundations, industry consortia, and companies that maintain and support OSS projects used commercially by others. A natural person is not classified as an OSS steward under (EU) 2024/2847 Article 3(14).

Stewards do not face the full obligations that manufacturers do. Their obligations are lighter than full manufacturer requirements: no CE marking, no formal conformity assessment, no required retention of technical documentation. However, under (EU) 2024/2847 Article 24, open-source software stewards must still:

  • Maintain a cyber security policy that fosters secure development of the OSS products they support
  • Cooperate with market surveillance authorities and make security documentation available on request
  • From 11 September 2026, report actively exploited vulnerabilities and severe security incidents that affect the network and information systems provided for development of their OSS products
  • Effectively remediate vulnerabilities and ensure they are accessible to users without undue delay
  • Establish a policy that fosters voluntary vulnerability reporting by the developers of the software product

Stewards are also exempt from administrative fines for CRA infringements under Article 64(10). Enforcement works through cooperation and corrective measures rather than financial penalties.

Tier 3: Commercial OSS Vendors (Full Manufacturer Obligations)

If an individual (natural person) or legal person (such as a company or other type of organization) develops and distributes OSS and places it on the EU market in the course of commercial activity, they qualify as a manufacturer under the CRA. The CRA’s threshold for “commercial activity” is broad. It is not only about selling a license. Providing paid support, SLA-backed hosting, or professional services built around an OSS product also constitutes commercial activity under the CRA. All Annex I requirements apply to manufacturers: secure-by-default design, vulnerability handling, 24-hour incident reporting, SBOM, technical documentation, and CE marking.

Manufacturers remain responsible for vulnerability handling in their own products, including vulnerabilities caused by integrated third-party OSS components. (EU) 2024/2847, Article 13 specifies that manufacturers must exercise due diligence when integrating third-party components. Upon identifying a vulnerability in an integrated component, including an FOSS/OSS component, they must report the vulnerability to the person or entity manufacturing or maintaining that component and, without delay, remediate the vulnerability in accordance with (EU) 2024/2847 Annex I, Part II.

The Cyber Resilience Act requires regular vulnerability assessments and external audits – on a continuous and sustainable basis.

OPENVAS SECURITY INTELLIGENCE supports your CRA compliance – on premises or in the cloud. Contact us to learn more.

➜ Achieve CRA compliance together

The EC’s March 2026 Draft Guidance: What We Know Now

The public feedback period for the EC’s March 2026 draft guidance closed on 31 March 2026. Some edge cases remain unclear, although final guidance is expected later in 2026. Organizations should revisit any scope conclusions based on the draft once the final version is published. In its March 2026 draft guidance on applying the CRA, the EC does make some clarifications for the definition of “commercial activity” and addresses other key issues regarding scope.

Key clarifications include:


  • A product can be free and open-source and still be considered “made available on the market” if it is also offered as part of a commercial service or monetized support model
  • The presence of publicly available code alone, such as a GitHub repository, does not constitute market placement; a commercial relationship is what imposes responsibility
  • Dual-license models (free OSS edition + commercial enterprise edition) place the commercial edition firmly within scope of the CRA; the free edition’s status further depends on its association with commercial activity
  • Responsibility follows governance: whoever publishes and effectively controls a project bears the obligations, not whoever technically publishes changes to the software’s source code
  • Manufacturer responsibility also extends beyond the original developer to companies integrating or rebranding OSS components into products placed on the EU market

September Reporting: The Clock Is Ticking

The first hard CRA deadline applies to all products with digital elements, including OSS. From 11 September 2026, manufacturers and stewards must report actively exploited vulnerabilities and severe incidents that may affect the security of the digital products they are responsible for.

The reporting deadlines are tight: an early warning is due within 24 hours of awareness, a full notification within 72 hours, and a final report within 14 days for exploited vulnerabilities or one month for severe incidents. Reports are submitted through ENISA’s Single Reporting Platform (SRP), and onboarding instructions and a reporting manual are expected from ENISA in June 2026.

What This Means for Greenbone

Greenbone operates across two tiers: as a manufacturer of digital products, and as an open-source software steward. As discussed above, the CRA imposes distinct obligations for both of these roles. As a manufacturer, Greenbone is responsible for the commercialized OPENVAS enterprise IT security products, and, as a steward, we take responsibility for our FOSS community projects.

Greenbone meets our manufacturer responsibilities through a wide range of IT security policies, controls, and response plans. This includes continuous vulnerability management, GDPR-compliant architecture, documented security practices, and other IT security best practices. As an active ISO/IEC 27001:2022 and ISO 9001:2015 certified organization, Greenbone is dedicated to the most stringent quality standards for Information Security. As an OSS steward, Greenbone is prepared to fulfill the CRA requirements for our OPENVAS community software projects.

Finally, as a vendor of digital products specifically for cyber security, Greenbone’s customers use our OPENVAS line of IT security products to meet their own CRA obligations. This means we are responsible not only for fulfilling our own CRA obligations, but also for understanding the technical needs that other organizations have to stay compliant. This dual role as a manufacturer of digital products and a vendor of cyber security products that help other organizations achieve CRA compliance gives Greenbone a clear vantage point: navigating the regulation while also broadly supporting global manufacturers of digital products to do the same.

Are you ready for the Cyber Resilience Act?

CRA-compliant vulnerability assessments and audits – OPENVAS SECURITY INTELLIGENCE guides you toward compliance, on premises or in the cloud.

➜ Request a consultation now

Recommendations for Software Vendors Working with Open Source

  1. Map your OSS usage. Every open-source component in your products must be identified, documented, and tracked. This is the foundation of your SBOM and is required by the CRA regardless of the component’s own compliance status.
  2. Audit your commercial relationships. If you monetize OSS in any way, such as paid support, SaaS delivery, professional services, seek legal advice on whether full manufacturer obligations apply. The draft guidance’s monetization test is the place to start.
  3. Prepare for September reporting now. Set up an internal process that can produce a 24-hour early warning, and watch for ENISA’s SRP onboarding instructions (due in June 2026).
  4. Engage with the community. The ORC Working Group maintains a CRA FAQ and resource hub for OSS stewards and manufacturers (cra.orcwg.org and the CRA Hub on GitHub). The OpenSSF is also tracking CRA policy developments.
  5. Track the EC’s final guidance. The feedback window closed on 31 March 2026. When the Commission publishes the final version, revisit any scope conclusions based on the draft.

Read the full guide: The Complete Guide to the EU Cyber Resilience Act – all requirements, timelines, and penalties in one place.



1. Sources European Commission — Cyber Resilience Act (Regulation EU 2024/2847), Official Journal https://eur-lex.europa.eu/eli/reg/2024/2847/oj/eng
2. European Commission — CRA and open source software policy page
https://digital-strategy.ec.europa.eu/en/policies/cra-open-source
3. European Commission — Draft guidance announcement (3 March 2026)
https://digital-strategy.ec.europa.eu/en/news/commission-publishes-feedback-draft-guidance-assist-companies-applying-cyber-resilience-act
4. European Commission — CRA reporting obligations
https://digital-strategy.ec.europa.eu/en/policies/cra-reporting
5. ENISA — Single Reporting Platform (SRP)
https://www.enisa.europa.eu/topics/product-security-and-certification/single-reporting-platform-srp
6. Eclipse Foundation ORC Working Group — orcwg.org
https://orcwg.org/
7. ORC Working Group — CRA Hub (FAQ and implementation resources)
https://github.com/orcwg/cra-hub
8. ORC Working Group — White paper: Open Source Software Stewards and the CRA
https://orcwg.org/cra/resources/d3-5-white-paper-on-open-source-software-stewards-and-cra/
9. OpenSSF — EU Cyber Resilience Act policy page
https://openssf.org/public-policy/eu-cyber-resilience-act/
10. OpenSSF — Global Cyber Policy Working Group CRA tracker
https://policy.openssf.org/CRA/

Contact Test Now Buy Here Back to Overview
18. June 2026/by Greenbone AG
https://www.greenbone.net/wp-content/uploads/greenbone-logo-2025.png 0 0 Greenbone AG https://www.greenbone.net/wp-content/uploads/greenbone-logo-2025.png Greenbone AG2026-06-18 17:05:462026-06-18 17:12:36Cyber Resilience Act and Open Source Software: What Software Vendors and Stewards Need to Know
Joseph Lee

May 2026 Threat Report: Double Down on Scanning and Patching

Blog

Exploitation of vulnerabilities has now emerged as the most common way that attackers gain initial access into an organization’s environment, which underlines the ongoing importance of getting the basics right.

  • Verizon 2026 Data Breach Investigation Report [1]
CVE-2025-20393-cisco-spam-filter

More CVEs, Less Time

The industrialization of vulnerability exploitation is not new; the process-driven approach to vulnerability weaponization long predates LLMs. But increasingly, sophisticated cyber security skills are available to anyone with a laptop. Anthropic’s first official impact report for Mythos has been released [1][2]. The results indicate that, despite not yet achieving perfection, the impact will be felt by software vendors and defenders.

In April and May 2026, major software vendors [3][4][5], security intelligence providers [6][7][8], and cyber security news outlets [9] acknowledged Mythos’ impact on vulnerability disclosures. Security researchers from Mozilla claim it is “difficult to overstate how much this dynamic changed for us over a few short months”. Cisco noted the lack of downstream support for disclosing the upcoming deluge of new issues. Combined with the DBIR quote at the top of this blog post, the takeaway is clear. Defenders need to double down on continuous vulnerability management and audit patching performance to reduce critical risk exposure.

Cisco Publishes Two CVSS 10 Flaws — Catalyst SD-WAN Actively Exploited

Two new maximum-severity flaws were disclosed for Cisco products in May 2026. CVE-2026-20182, affecting Cisco Catalyst SD-WAN, is considered actively exploited; CISA has added the flaw to its KEV list and updated guidance on attacks targeting Catalyst SD-WAN. Six other CVEs in Catalyst SD-WAN were also added to CISA KEV in 2026. The other new max-severity flaw from May 2026 is CVE-2026-20223 affecting Cisco Secure Workload.

National CERT alerts were widely issued for both CVE-2026-20182 [1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18] and CVE-2026-20223 [19][20][21][22][23][24][25][26][27][28][29]. Details on both CVEs are included below:

  • CVE-2026-20182 (CVSS 10, EPSS >= 99th pctl): A vulnerability in the peering authentication of Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager allows an unauthenticated, remote attacker to bypass authentication [CWE-287] to log in as an internal administrative user. Using the hijacked account, an attacker can access NETCONF and manipulate network configurations for the SD-WAN fabric. The flaw is exploitable via HTTP requests to the affected system. See Cisco’s official advisory for more information.
  • CVE-2026-20223 (CVSS 10): Missing authentication [CWE-306] in the REST APIs of Cisco Secure Workload allows an unauthenticated remote attacker to access site resources with Site Admin Attackers can use crafted HTTP API requests to read sensitive information and make configuration changes across tenant boundaries. See Cisco’s official advisory for more information.

Cisco states there are no workarounds for either vulnerability. Patches must be applied for full mitigation. OPENVAS ENTERPRISE FEED includes detection for CVE-2026-20182 and CVE-2026-20223, and detection for other CVEs for Cisco products published in May 2026.

February 2026 Flaw in Trend Micro Apex One Now Actively Exploited

CVE-2026-34926, affecting Trend Micro Apex One 2019, has now been reported as actively exploited and has been added to CISA’s KEV list. Trend Micro issued a Critical Patch [KA-0022458] for the CVE in February 2026, along with two other critical-severity flaws. The patch also increased protection against CVE-2025-54948 (CVSS 9.8) and CVE-2025-54987 (CVSS 9.8), which were both added to CISA’s KEV list in mid-2025 [1][2]. On March 3rd 2026, the vendor issued updates for CVE-2025-71210  (CVSS 9.8) and CVE-2025-71211 (CVSS 9.8) [3][4] noting that they allow unauthenticated remote attackers to execute arbitrary code on affected installations.

Actively exploited CVE-2026-34926 (CVSS 6.7) is a directory traversal vulnerability [CWE-23] in the Apex One 2019 on-premise server and Server and Agent builds below 17079, Apex One as a Service SaaS, and Trend Vision One Endpoint for Windows. The flaw allows an attacker to modify a key table on the server to inject malicious code and deploy it to agents. The attacker must have access to the Apex One Server with Windows administrative credentials but authentication to Apex One itself is not required.

Greenbone’s OPENVAS ENTERPRISE FEED includes regular Windows detection for Trend Micro security advisories and added detection for KA-0022458 CVEs the day after they were issued in February 2026.

Living on the Edge: Emerging Threats to Perimeter IT Devices

According to Verizon’s 2026 DBIR report, exploitation of vulnerabilities has become the most common way attackers gain initial access into an organization’s environment. The findings underline the importance of detecting vulnerable software and applying patches. On that note, here are some of the high-risk threats to perimeter IT systems that emerged in May 2026.

Palo Alto Networks PAN-OS Actively Exploited

CVE-2026-0300 (CVSS 9.8, EPSS >= 95th pctl) is a new buffer overflow vulnerability [CWE-787] in the User-ID Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software. The flaw is actively exploited and has been added to CISA’s KEV list. PAN-OS versions 10.2 through 12.1.x are affected, and vulnerable devices include the PA-Series and VM-Series firewalls.

The vulnerability allows an unauthenticated attacker to execute arbitrary code on affected devices with root privileges. Risk is greatly reduced by restricting access to only trusted internal IP addresses. Numerous national CERT agencies have issued alerts for CVE-2026-0300 indicating high global risk [1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18]. CISA and Siemens also issued alerts for Siemens RUGGEDCOM APE1808 (Application Processing Engine) devices at risk from CVE-2026-0300 [19][20].

Another flaw, CVE-2026-0257 (CVSS 7.8), affecting PAN-OS GlobalProtect deployments, was also added to CISA’s KEV list after observed exploitation. Palo Alto has rated the CVE with the Highest urgency rating. CVE-2026-0257 is an authentication bypass vulnerability in the GlobalProtect portal and gateway that can allow an unauthenticated attacker to bypass security restrictions and establish an unauthorized VPN connection.

The OPENVAS ENTERPRISE FEED includes package-level detection for both CVE-2026-0300 and CVE-2026-0257 [21][22] and includes an extensive family of vulnerability tests for PAN-OS vulnerabilities.

Ivanti EPMM: Three Critical-Severity and One Actively Exploited

Ivanti released a security advisory in May 2026, describing new CVEs impacting its Endpoint Manager (EPMM) product. Three critical-severity flaws allow unauthenticated remote attackers to trigger arbitrary functions on the EPMM appliance, impersonate registered Sentry hosts, obtain valid CA-signed client certificates, or enroll a device from a restricted set of unenrolled devices. CISA has added a separate high-severity flaw from the Ivanti’s advisory, CVE-2026-6973, to its KEV list. Details on the highest-risk flaws are included below:

  • CVE-2026-6973 (CVSS 7.2, EPSS >= 91st pctl): Improper input validation [CWE-20] allows a remote authenticated user with administrative access to achieve remote code execution (RCE). CISA has added CVE-2026-6973 to its KEV list.
  • CVE-2026-5788 (CVSS 9.8): Improper access control [CWE-284] allows an unauthenticated remote attacker to invoke arbitrary methods.
  • CVE-2026-5787 (CVSS 9.1): Improper certificate validation [CWE-295] allows an unauthenticated remote attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates.
  • CVE-2026-7821 (CVSS 9.1): Improper certificate validation [CWE-295] allows an unauthenticated remote attacker to enroll a device belonging to a restricted set of unenrolled devices. Exploitation can lead to information disclosure about an EPMM appliance and impact on the integrity of the newly enrolled device identity.

The flaws affect EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. No technical details or PoC exploits are publicly available for any of the CVEs. Ivanti EPMM has been battered by cyber attacks  in recent years, appearing eight times on CISA’s KEV list — twice associated with ransomware attacks. Greenbone provides broad vulnerability detection for Ivanti products, allowing defenders to detect and mitigate emerging threats.

Multiple Fortinet Products Hit with Critical Vulnerabilities

Fortinet published multiple security advisories in May 2026, affecting FortiSandbox, FortiOS, FortiAP, FortiAnalyzer, FortiManager, and FortiAuthenticator. The disclosures include two critical flaws: CVE-2026-26083 in FortiSandbox and CVE-2026-44277 in FortiAuthenticator. Both vulnerabilities are remotely exploitable and can allow unauthorized code or command execution, presenting strong risk signals for exposed appliance interfaces. There is no evidence that either CVE is actively exploited or that detailed technical descriptions or PoC exploits are publicly available.

  • CVE-2026-26083 (CVSS 9.8): Missing authorization [CWE-862] in the FortiSandbox GUI allows RCE for a remote, unauthenticated attacker via crafted HTTP requests. The vulnerability requires no privileges and no user interaction, and successful exploitation can have a high impact on confidentiality, integrity, and availability. Affected versions include FortiSandbox 5.0 and 4.4; FortiSandbox Cloud 24, 23, and 5.0; and FortiSandbox PaaS 23.4, 23.3, 23.1, 22.2, 22.1, 21.4, 21.3, 5.0, and 4.4. Several national CERT alerts have been issued for CVE-2026-26083 [1][2][3][4][5][6][7][8][9].
  • CVE-2026-44277 (CVSS 9.8): Improper access control [CWE-284] in FortiAuthenticator allows an unauthenticated attacker to execute unauthorized code or commands via crafted requests. FortiAuthenticator Cloud is not impacted. Affected versions include FortiAuthenticator 8.0.2, 8.0.0, 6.6.0 through 6.6.8, and 6.5.0 through 6.5.6. Multiple national CERT alerts have been issued for CVE-2026-44277 [10][11][12][13][14][15][16][17].

Organizations should apply vendor patches as soon as possible. OPENVAS ENTERPRISE FEED includes detection coverage for the flaws mentioned above [18][19] and a dedicated detection family for Fortinet vulnerabilities.

New SQL Injection in Drupal Core with PostgreSQL Actively Exploited

CVE-2026-9082 (CVSS 9.8) is a new actively exploited [1][2][3], unauthenticated SQL injection vulnerability [CWE-89] that affects the Drupal open-source content management system (CMS). Exploitation could allow privilege escalation and RCE on an affected server via malicious HTTP requests. Drupal supports multiple back-end database servers. Drupal’s official advisory states that CVE-2026-9082 only affects instances using PostgreSQL. The vendor further estimated 5% of installations use PostgreSQL.

A full technical description with PoC exploit code and at least one additional PoC is available for CVE-2026-9082, increasing the risk. Multiple national CERT agencies have issued alerts [4][5][6][7][8][9][10][11][12][13]. Drupal core versions 8.x through 11.3.x are affected, and fixes are available in versions 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, 10.4.10, and via manual patches for versions 9.5 and Drupal 8.9. The OPENVAS ENTERPRISE FEED includes detection for both Windows and Linux installations [14][15].

vm2 Project Erupts with Critical Severity Vulnerabilities

Thirteen critical-severity vulnerabilities were disclosed affecting the vm2 project in May 2026. The vm2 project is a Node.js sandboxing library mainly used to execute untrusted or user-supplied JavaScript in an isolated environment. The group of CVEs included several maximum-severity CVSS 10 flaws. Collectively, the vulnerabilities undermine vm2’s core security boundary: isolating untrusted JavaScript from the underlying Node.js host environment. Successful exploitation can allow sandbox escape and arbitrary code or operating system command execution in the context of the host process.

Affected vm2 versions vary by CVE, spanning multiple release lines. Some of the earlier issues were fixed in 3.10.5, 3.11.0, 3.11.1, or 3.11.2, while later CVEs affected versions through 3.11.3 and were patched in 3.11.4. Users should upgrade to 3.11.5 or later. The OPENVAS ENTERPRISE FEED includes package-level detection for all new CVEs impacting the vm2 project.

Multiple Critical Flaws in Apache Software Products

In May 2026, the Apache Software Foundation published 18 critical-severity CVEs and an additional 28 high-severity flaws. Greenbone’s OPENVAS ENTERPRISE FEED includes detection for all Apache software flaws mentioned in this section, and many more. The most critical new CVEs are briefly described below:

One Critical and Several High Severity Flaws in HTTP Server

CVE-2026-28780 (CVSS 9.8) and CVE-2026-23918 (CVSS 8.8, EPSS >= 0.77th pctl) affect Apache HTTP Server 2.4.66 and earlier and specific 2.4.66 configurations. Both CVEs are memory-safety issues. CVE-2026-28780 is a heap-based buffer overflow [CWE-122] in mod_proxy_ajp; exploitation requires Apache HTTP Server to connect through mod_proxy_ajp to a malicious AJP server.

CVE-2026-23918 is a “double free” vulnerability [CWE-415] affecting the HTTP/2 implementation. When a program calls free() twice with the same argument, data structures may become corrupted, potentially allowing reading or modification of unexpected memory addresses. The flaw can be triggered during an early stream reset and can cause denial of service (DoS), with possible RCE depending on runtime conditions. Apache recommends upgrading to Apache HTTP Server 2.4.67, which fixes both issues.

Two New Critical Flaws in Apache MINA

CVE-2026-42778 (CVSS 9.8) and CVE-2026-42779 (CVSS 9.8) are critical deserialization vulnerabilities in Apache MINA that can expose affected applications to unauthenticated RCE when they use Apache MINA to deserialize Java classes supplied by a client. Both flaws affect Apache MINA 2.1.x and 2.2.x branches and stem from incomplete or unapplied fixes for earlier deserialization issues.

Three Critical Flaws in Apache OFBiz

CVE-2026-45434 (CVSS 9.8), CVE-2026-41919 (CVSS 9.1), and CVE-2026-31986 (CVSS 9.1) affect Apache OFBiz versions before 24.09.06 and can expose affected ERP deployments to authentication bypass, unauthorized access, or code execution, depending on configuration and attack path. CVE-2026-45434 is the highest-risk issue. The flaw is caused by improper authentication in password-change logic that can lead to unauthenticated RCE.

Three Critical Flaws in Apache Tomcat

CVE-2026-43512 (CVSS 9.8), CVE-2026-41293 (CVSS 9.8), and CVE-2026-43515 (CVSS 9.1) affect Apache Tomcat. Collectively, the flaws can expose vulnerable deployments to authentication bypass or authorization failures depending on configuration. CVE-2026-43512 affects deployments using DIGEST authentication and allows an unknown user to be authenticated with a specific invalid password condition.

CVE-2026-41293 stems from improper validation of HTTP/2 request headers, allowing malformed or unexpected header values to trigger unsafe downstream behavior. CVE-2026-43515 is an improper authorization flaw involving overlapping HTTP method constraints that can allow unauthorized access to protected resources. Users should upgrade to fixed Tomcat versions, including 11.0.22, 10.1.55, or 9.0.118 where applicable.

Two Critical Flaws in Apache Camel

CVE-2026-47323 (CVSS 9.8) is a critical-severity message header injection and request forwarding vulnerability affecting the Apache Camel integration framework. The flaw allows an unauthenticated attacker to inject Camel-internal headers (e.g. CamelExecCommandExecutable and CamelFileName) via HTTP requests to CXF-RS or CXF-SOAP endpoints.

Langflow Actively Exploited and Five Additional Critical-Severity Flaws in 2026

Langflow is a popular Python-based open-source platform for low-code building and deploying AI applications, agents, and workflows. IBM reports that tens of thousands of developers use it for generative-AI development. In May 2026, CVE-2025-34291 (CVSS 8.8) affecting Langflow was reported as actively exploited and added to CISA’s KEV list. Five additional critical-severity CVEs affecting Langflow have been disclosed since the start of 2026.

  • CVE-2025-34291 (CVSS 8.8, EPSS >= 97th pctl): A chained vulnerability caused by permissive cross-origin behavior [CWE-346] and leading to flawed session/token handling can enable account takeover and RCE when a user interacts with a malicious webpage. The victim needs to be authenticated while visiting an attacker-controlled webpage that makes credentialed cross-origin requests to Langflow because of the permissive CORS and cookie configuration.
  • CVE-2026-33017 (CVSS 9.8): An unauthenticated RCE flaw in the public temporary flow-build endpoint, where attacker-supplied flow data can be processed as executable Python code without adequate sandboxing.
  • CVE-2026-21445 (CVSS 9.1): Missing authentication [CWE-306] on some critical API endpoints allows unauthenticated attackers to access sensitive user data, conversation or transaction records, and perform destructive operations such as message deletion.
  • CVE-2026-33309 (CVSS 9.9): A bypass of an earlier filename-control patch in the LocalStorageService layer allows arbitrary file write behavior [CWE-22] through the v2 API, potentially leading to RCE.
  • CVE-2026-27966 (CVSS 9.8): The CSV Agent node exposed sensitive Python REPL functionality, allowing attackers to execute arbitrary Python or operating system commands via prompt injection.
  • CVE-2026-42048 (CVSS 9.6): A path traversal flaw [CWE-22] in the Knowledge Bases API allows an authenticated attacker to delete arbitrary directories on the server by supplying unsafe knowledge base names. The flaw is due to concatenating user-supplied names into filesystem paths without proper boundary validation.

Summary

Mythos and other AI coding models are having an obvious impact on the number of new vulnerabilities disclosed in key enterprise software. The same technology also enables attackers to develop exploits easier and faster.

Defenders should implement continuous vulnerability management and audit performance to reduce risk exposure with OPENVAS SCAN and the OPENVAS ENTERPRISE FEED for industry-leading vulnerability coverage. Greenbone produces thousands of new vulnerability tests per month to detect flaws in enterprise software applications, IT networking products, major OSs and browsers, Linux packages, productivity tools, agentic AI tooling, and more. Defenders seeking to detect and protect can try Greenbone’s entry-level OPENVAS BASIC for free, including a two-week trial of the ENTERPRISE FEED.

Contact Test Now Buy Here Back to Overview
10. June 2026/by Joseph Lee
https://www.greenbone.net/wp-content/uploads/greenbone-logo-2025.png 0 0 Joseph Lee https://www.greenbone.net/wp-content/uploads/greenbone-logo-2025.png Joseph Lee2026-06-10 10:47:392026-06-10 10:47:39May 2026 Threat Report: Double Down on Scanning and Patching
Greenbone AG

The September 2026 CRA Deadline: What Manufacturers Must Do Right Now

Blog

Time-sensitive

This article focuses on the 11 September 2026 vulnerability reporting deadline — the first hard enforcement milestone under the Cyber Resilience Act. As of June 2026, you have approximately 100 days to prepare.

Most companies treating the CRA as a 2027 problem are already behind. According to the 2026 CRA Awareness and Readiness Report from OpenSSF and Linux Foundation Research, 66% of software producers surveyed remain unfamiliar with the regulation — and that figure has risen year-over-year. The first enforcement date is not December 2027. It is 11 September 2026, when Article 14 vulnerability reporting obligations become legally binding. From that date, if a vulnerability in your product is being actively exploited, you are required to file an early warning through the ENISA Single Reporting Platform within 24 hours of becoming aware of it. Miss that window, and you are already non-compliant — with penalty exposure of up to €15 million or 2.5% of global annual turnover, whichever is higher.

What Exactly Must You Start Doing in September 2026?

The reporting obligation is triggered by two conditions, either of which requires action:

  • An actively exploited vulnerability in any of your in-scope products, regardless of severity
  • A severe incident affecting the security of your products — for example, a significant breach or systemic compromise

Once either condition is met, a three-stage reporting cascade begins:

 

Stage 1 — Early Warning: Within 24 Hours

Submit an early warning through the ENISA Single Reporting Platform confirming your awareness of an actively exploited vulnerability. You are not required to provide full technical details at this stage. The purpose is to flag that you are aware and managing the situation. The SRP will automatically route the report to your national CSIRT coordinator and to ENISA simultaneously.

Stage 2 — Full Notification: Within 72 Hours

Submit a full notification including technical details of the vulnerability, an initial severity assessment (using CVSS or equivalent), affected products and versions, and any available mitigations or workarounds. This report must be accurate and complete — rushed or inaccurate reports can trigger Tier 3 penalties for providing incorrect information.

Stage 3 — Final Report: Within 14 Days of Issuing a Fix

Once you have issued a security update or workaround, submit a final report to ENISA within 14 days, or one month in the case of a severe incident. This closes the reporting loop and must include a comprehensive vulnerability description, root cause analysis, impact assessment, and a full account of the remediation steps taken.

One Detail Most Teams Miss: It Applies to Existing Products Too

The September 2026 reporting obligations not only apply to products launched after that date. Under CRA Article 69(3), they apply to all products with digital elements already placed on the EU market, including products shipped years before the CRA existed. If a vulnerability in a product you released in 2021 is being actively exploited in September 2026, you are required to report it. This catches many teams off guard: your scope for this obligation is your entire active product catalogue, not just your next release.

A second detail worth locking in: the 24-hour clock starts at reasonable belief of active exploitation, not confirmed forensic evidence. If your monitoring flags credible signals of exploitation, you cannot wait for certainty before submitting the early warning. Waiting for confirmation is how organisations will miss the window.

Why This Is Harder Than It Sounds

Most organisations do not have a tested, 24-hour vulnerability notification process. Building one requires:

Your September 2026 Readiness Checklist

  • Identify all in-scope products and confirm their support periods, including legacy products already on the EU market
  • Implement or verify continuous vulnerability scanning across all in-scope products and their components
  • Document your internal escalation process for suspected actively-exploited vulnerabilities
  • Identify who is responsible for submitting ENISA reports (legal, security, or a designated DPO-equivalent)
  • Register with your national CSIRT and prepare for registration on the ENISA Single Reporting Platform (SRP)
  • Conduct a tabletop exercise simulating a 24-hour reporting scenario
  • Brief executive leadership on reporting obligations and liability exposure
  • Ensure your vulnerability management tooling can produce audit-ready reports in the required format
✅ Well done — your organisation is equipped for the 11 September 2026 reporting deadline.

The Other Deadlines in the Frame

September 2026 is the most urgent date, but it is not the only one. By 30 August 2026, harmonised standards covering vulnerability handling (Type A/horizontal) and product security (Type B) are expected to be published — giving manufacturers their first authoritative compliance benchmarks. Full product conformity for all categories does not apply until 11 December 2027, but organisations that wait for the standards before starting work will have very little implementation runway.

This means that with less than 100 days until the reporting deadline and the harmonised standards landing just two weeks before it, the summer of 2026 is a period of compressed, parallel compliance activity. Starting this journey now is not early. It is the last moment to avoid being caught without a tested process when the clock starts.

→ Read the full guide

The Complete Guide to the EU Cyber Resilience Act — all requirements, product categories, and the full timeline in one place. Read the guide →

Sources

  1. Regulation (EU) 2024/2847 — Cyber Resilience Act (EUR-Lex, official legislative text)
    https://eur-lex.europa.eu/eli/reg/2024/2847/2024-11-20

  2. 2026 CRA Awareness and Readiness Report — OpenSSF / Linux Foundation Research
    https://openssf.org/blog/2026/05/18/taking-stock-of-the-state-of-european-cyber-resilience-act-cra-compliance-an-urgent-wake-up-call-for-the-open-source-ecosystem/

  3. Cyber Resilience Act — Summary of the legislative text (European Commission)
    https://digital-strategy.ec.europa.eu/en/policies/cra-summary

  4. Cyber Resilience Act — ENISA (Single Reporting Platform)
    https://www.enisa.europa.eu/topics/cyber-resilience-act
Contact Test Now Buy Here Back to Overview
4. June 2026/by Greenbone AG
https://www.greenbone.net/wp-content/uploads/greenbone-logo-2025.png 0 0 Greenbone AG https://www.greenbone.net/wp-content/uploads/greenbone-logo-2025.png Greenbone AG2026-06-04 12:39:002026-06-04 12:58:04The September 2026 CRA Deadline: What Manufacturers Must Do Right Now
Greenbone AG

When the Referee Stops Blowing the Whistle

Blog

NIST Significantly Reduces Independent CVSS Scoring in the NVD

For years, the routine has been the same. A new vulnerability appears, the security team checks the NVD, looks at the CVSS score, and decides: patch now or wait. A single number, produced by a U.S. federal agency, has become the pace-setter for millions of systems worldwide.

That pace-setter is now stepping back.

NIST has announced that it will significantly reduce its routine CVSS scoring activities for the National Vulnerability Database (NVD). The backlog of unprocessed entries has been growing since February 2024—from around 13,000 in June 2024 to over 27,000 by the end of 2025—amid a rising number of reported vulnerabilities and a stagnant budget.

What remains when NIST is no longer providing oversight is the CVSS score assigned by the software vendor itself.

CVE-2025-20393-cisco-spam-filter

NIST steps aside

The structural problem behind the headline

Within the security community, it is no secret that vendors tend to rate the severity of their own vulnerabilities conservatively. Until now, NIST has balanced this conflict of interest through an independent second assessment. That independence is now disappearing, and for teams that have relied on NVD CVSS scores as their primary source of prioritization, this represents a significant shift.

For Greenbone users, however, nothing changes operationally. Not because the news is irrelevant, but because the NIST NVD has never been Greenbone’s only source of vulnerability intelligence.

A broad international database rather than a single source of truth

For years, Greenbone’s approach has been built on a broad, international foundation of data sources. Vulnerability information is gathered from a diverse portfolio including official databases, vendor advisories, national authorities, European initiatives such as the European Vulnerability Database (EUVD), and the global security community. Each source is evaluated, weighted, and cross-referenced.

The value of this diversity becomes particularly clear in situations like the current one: when a single source becomes unavailable or loses quality, the overall picture for Greenbone users remains largely unchanged. This is not a reaction to a crisis—it has been an architectural principle since day one.

Are vendor-assigned scores inherently unreliable? The honest answer is no, not necessarily. Vendors that provide structured and transparent vulnerability information contribute valuable data—and Greenbone uses that information directly. The challenge lies in the structural incentive to downplay one’s own weaknesses and in the lack of independence when a single source becomes the sole authority.

The EuVD: European Sovereignty as a Constructive Response

The current NIST situation also highlights a broader dependency issue: Europe has relied for too long on a single U.S. institution for vulnerability assessment. The European Vulnerability Database (EUVD), operated by ENISA, represents the right response—sovereign, European, and independent of U.S. budget decisions.

Greenbone has actively integrated the EUVD from the beginning because any reliable new source naturally belongs in a diversified vulnerability intelligence ecosystem.

For security teams, the key question is therefore not whether NIST will recover.

The real question is how resilient your vulnerability assessment process remains when one source disappears—and whether you already know the answer today.

Learn how your organization can meet the requirements of the Cyber Resilience Act and sustainably strengthen your cyber resilience.

Learn more →
Contact Test Now Buy Here Back to Overview
3. June 2026/by Greenbone AG
https://www.greenbone.net/wp-content/uploads/greenbone-logo-2025.png 0 0 Greenbone AG https://www.greenbone.net/wp-content/uploads/greenbone-logo-2025.png Greenbone AG2026-06-03 13:16:542026-06-03 13:16:54When the Referee Stops Blowing the Whistle
Page 1 of 3123

Search

Search Search

Archive

  • 2026
  • 2025

Newsletter

Subscribe Now

OPENVAS BASIC

Our entry-level enterprise product

Test 14 Days Free of Charge

Products & Solutions

  • OPENVAS PRODUCTS
  • OPENVAS SECURITY INTELLIGENCE
  • OPENVAS SCAN
  • OPENVAS BASIC
  • OPENVAS FREE
  • OPENVAS AI
ISO9001-EN

Service & Support

  • Technical Support
  • FAQ
  • Documents
  • Warranty
  • Open Source Vulnerability Management
  • Cyber Resilience Act
ISO27001-EN

About us

  • About Greenbone
  • Partners
  • MSSP
  • License information
  • Privacy Statement
  • Terms & Conditions
ISO14001-EN

Contact with us

  • Contact
  • Newsletter
  • Media Contact
  • Careers
  • Security Response
  • Imprint
  • Grounding Page

Community

  • Community Portal
  • Community Forum
© Copyright - Greenbone AG 2020-2026
  • Link to LinkedIn
Scroll to top Scroll to top Scroll to top
Contact
Request IT Security Contact Us Subscribe to Newsletter Follow on LinkedIn