Skip to content

Security Sense

AI Threat Intelligence

  • About
  • Blog
  • Privacy Policy

CVE-2026-6973: Remote Code Execution in Ivanti EPMM

Posted on May 15, 2026 by Kyle

Overview

CVE-2026-6973 is an improper input validation vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that permits remote code execution. This flaw affects specific versions of EPMM and requires prior administrative authentication for exploitation. Its inclusion in CISA’s KEV catalog signifies active exploitation in the wild, making immediate patching critical for organizations utilizing Ivanti EPMM.

Technical Analysis

  • Vulnerability: Improper Input Validation (CWE-20).
  • Impact: Remote Code Execution (RCE).
  • Affected Products: The vulnerability affects Ivanti EPMM versions before 12.6.1.1, 12.7.0.1, and 12.8.0.1.
    • ivanti endpoint_manager_mobile < 12.6.1.1
    • ivanti endpoint_manager_mobile 12.7.0.0
    • ivanti endpoint_manager_mobile 12.8.0.0
  • Attack Vector: Network-based (AV:N).
  • Prerequisites: Requires a remotely authenticated user with administrative access (PR:H).
  • CVSS 3.1 Score: 7.2 (HIGH) – CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.

Detection

  • Monitor Ivanti EPMM logs for unusual administrative activity, especially related to configuration changes, unexpected process spawns, or command execution attempts.
  • Look for outbound network connections from the EPMM appliance to unknown or suspicious external IP addresses.
  • Review system logs for signs of unauthorized file modifications or new user account creation on the EPMM server.
  • No specific Sigma or YARA rules are publicly available for this CVE at the time of writing.

Mitigations

  1. Apply the latest security patches immediately. Ivanti has released fixes in versions 12.6.1.1, 12.7.0.1, and 12.8.0.1.
  2. Ensure all administrative accounts for Ivanti EPMM utilize strong, unique passwords and multi-factor authentication (MFA).
  3. Restrict network access to the Ivanti EPMM administrative interface to only trusted IP ranges and necessary personnel.
  4. Regularly audit administrative user activity and system logs for anomalies.

References

  • https://nvd.nist.gov/vuln/detail/CVE-2026-6973
  • https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs?language=en_US
  • https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-6973
  • https://ltna.com.au/cyber

Indicators of Compromise

No public IOCs available at time of writing.

🤖 AI Attribution
Generated by gemini-2.5-flash ·
1,397 input / 899 output tokens ·
Reviewed and approved by a human analyst before publication
Leave a comment

WordPress Funnel Builder Plugin Vulnerability Actively Exploited for Credit Card Theft

Posted on May 15, 2026 by Kyle

Overview

A critical vulnerability within the Funnel Builder WordPress plugin is being actively exploited. Attackers are leveraging this flaw to inject malicious JavaScript into WooCommerce checkout pages, aiming to steal sensitive credit card details from customers. This directly impacts e-commerce platforms utilizing the vulnerable plugin, leading to potential financial fraud and reputational damage.

Technical Analysis

  • The vulnerability is identified as a critical flaw within the Funnel Builder plugin for WordPress.
  • Exploitation involves injecting malicious JavaScript snippets into legitimate WooCommerce checkout pages.
  • The injected scripts are designed to intercept and exfiltrate credit card information entered by customers during the payment process.
  • Specific details regarding the vulnerability type (e.g., XSS, arbitrary file upload) or affected version ranges are not publicly detailed in the source, but active exploitation indicates a severe flaw.
  • The attack vector targets the client-side browser experience of users interacting with compromised WooCommerce checkout pages.

Detection

  • Monitor WordPress file integrity for unauthorized modifications, especially within plugin directories (wp-content/plugins/) or core files, which may indicate initial compromise or script injection.
  • Inspect the source code of WooCommerce checkout pages for unexpected or obfuscated JavaScript inclusions, particularly those loading from unusual external domains or containing suspicious data exfiltration patterns.
  • Review web server access logs for unusual requests targeting Funnel Builder plugin endpoints or attempts to upload malicious files, which could signify exploitation attempts.
  • Implement client-side monitoring (e.g., browser extensions, network proxies) to detect outbound network connections from checkout pages to domains not typically associated with the e-commerce site.
  • Utilize Content Security Policy (CSP) headers to restrict script sources on checkout pages, potentially blocking unauthorized script execution.

Mitigations

  1. Immediately update the Funnel Builder WordPress plugin to the latest available patched version. Verify the update was successful and that no malicious files remain.
  2. Conduct a thorough security audit of the WordPress installation, including the database and file system, to identify and remove any injected malicious code or backdoors.
  3. Implement a robust Web Application Firewall (WAF) to detect and block known exploitation patterns, malicious script injections, and suspicious outbound traffic.
  4. Regularly back up WordPress sites and databases to facilitate rapid recovery in the event of a compromise.
  5. Review and strengthen WordPress security configurations, including strong passwords, least privilege principles, and disabling unnecessary plugins or themes.

References

  • https://www.bleepingcomputer.com/news/security/funnel-builder-wordpress-plugin-bug-exploited-to-steal-credit-cards/

Indicators of Compromise

No public IOCs available at time of writing.

MITRE ATT&CK

  • T1190 — Exploit Public-Facing Application
  • T1059.007 — JavaScript
  • T1041 — Exfiltration Over C2 Channel
🤖 AI Attribution
Generated by gemini-2.5-flash ·
885 input / 772 output tokens ·
Reviewed and approved by a human analyst before publication
Leave a comment

CVE-2026-0300: PAN-OS User-ID Authentication Portal RCE Vulnerability

Posted on May 15, 2026 by Kyle

Overview

CVE-2026-0300 is a critical out-of-bounds write vulnerability affecting Palo Alto Networks PAN-OS software. This flaw in the User-IDâ„¢ Authentication Portal (Captive Portal) service permits an unauthenticated attacker to execute arbitrary code with root privileges on vulnerable PA-Series and VM-Series firewalls. Its high severity (CVSS 9.8) and potential for unauthenticated remote code execution make it a significant threat, especially if the Captive Portal is internet-facing and not properly secured.

Technical Analysis

  • Vulnerability: CVE-2026-0300, an out-of-bounds write (CWE-787), specifically described as a buffer overflow.
  • Affected Service: User-IDâ„¢ Authentication Portal (also known as Captive Portal) service.
  • Attack Vector: An unauthenticated attacker can execute arbitrary code by sending specially crafted packets to the vulnerable service.
  • Impact: Arbitrary code execution with root privileges on the affected firewall.
  • Affected Products: Palo Alto Networks PAN-OS versions 10.2.0 through 10.2.9.
  • Unaffected Products: Prisma Access, Cloud NGFW, and Panorama appliances are not impacted by this vulnerability.
  • Prerequisites: The User-IDâ„¢ Authentication Portal must be enabled and accessible to the attacker. The risk is significantly reduced if access to the portal is restricted to trusted internal IP addresses.

Detection

  • Monitor firewall logs for unusual connection attempts or traffic patterns directed at the User-ID Authentication Portal service.
  • Look for unexpected process creation or command execution originating from the firewall’s operating system, particularly with root privileges.
  • Analyze network traffic for specially crafted packets targeting the Captive Portal, though specific signatures may not be publicly available at the time of writing.
  • Hunt for signs of post-exploitation activity, such as outbound connections to unknown external IPs, unusual file modifications, or attempts to establish persistence.
  • Review system logs for crashes or restarts of the User-ID or Captive Portal services that might indicate exploitation attempts.

Mitigations

  1. Restrict Access: Immediately restrict access to the User-IDâ„¢ Authentication Portal (Captive Portal) to only trusted internal IP addresses. This is the primary recommended mitigation to significantly reduce exposure, as highlighted in Palo Alto Networks’ best practice guidelines.
  2. Apply Patches: Apply vendor-provided patches for CVE-2026-0300 as soon as they become available for your specific PAN-OS version. No specific patch versions were provided in the source material, but updates should be prioritized.
  3. Network Segmentation: Isolate firewalls running vulnerable PAN-OS versions from untrusted networks where possible to limit attack surface.
  4. Monitor Firewall Activity: Implement robust monitoring for all firewall management interfaces and services, including the Captive Portal, to detect anomalous behavior.

References

  • https://nvd.nist.gov/vuln/detail/CVE-2026-0300
  • https://security.paloaltonetworks.com/CVE-2026-0300
  • https://cert-portal.siemens.com/productcert/html/ssa-967325.html
  • https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-0300
  • https://knowledgebase.paloaltonetworks.com/KCSArticleDetail
  • https://unit42.paloaltonetworks.com/captive-portal-zero-day/

Indicators of Compromise

Type Value Description
SHA256 e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 EarthWorm payload hash (via https://unit42.paloaltonetworks.com/captive-portal-zero-day/)
IP Address 136.0.8.48 Attacker IP (via https://unit42.paloaltonetworks.com/captive-portal-zero-day/)
IP Address 146.70.100.69 C2 staging server (via https://unit42.paloaltonetworks.com/captive-portal-zero-day/)
IP Address 149.104.66.84 Attacker IP (via https://unit42.paloaltonetworks.com/captive-portal-zero-day/)
IP Address 67.206.213.86 Attacker IP (via https://unit42.paloaltonetworks.com/captive-portal-zero-day/)
URL http://146.70.100.69:8000/php_sess EarthWorm download URL (via https://unit42.paloaltonetworks.com/captive-portal-zero-day/)

MITRE ATT&CK

  • T1190 — Exploit Public-Facing Application
  • T1059 — Command and Scripting Interpreter
  • T1068 — Exploitation for Privilege Escalation
  • T1498.001 — Direct Network Flood
  • T1087.002 — Domain Account
  • T1021.004 — SSH
  • T1071 — Application Layer Protocol
  • T1055 — Process Injection
  • T1572 — Protocol Tunneling
  • T1070.001 — Clear Windows Event Logs
  • T1016 — System Network Configuration Discovery
  • T1090 — Proxy
  • T1098 — Account Manipulation
  • T1562.001 — Disable or Modify Tools
  • T1078 — Valid Accounts
  • T1078.002 — Domain Accounts
  • T1070.004 — File Deletion
  • T1071.001 — Web Protocols
  • T1018 — Remote System Discovery
  • T1105 — Ingress Tool Transfer
  • T1021.001 — Remote Desktop Protocol
🤖 AI Attribution
Generated by gemini-2.5-flash ·
1,802 input / 1,120 output tokens ·
Reviewed and approved by a human analyst before publication
Leave a comment

Posts navigation

Newer posts
Proudly powered by WordPress | Theme: micro, developed by DevriX.