Vulnerabilities & Patches
OPNsense CVE-2026-57155: Root RCE via GeoIP Alias
OPNsense CVE-2026-57155 (CVSS 9.9) is a path-traversal flaw in the firewall’s GeoIP alias importer that lets a low-privileged user escalate to full root remote code execution. It is the fifth critical or high-severity OPNsense vulnerability disclosed since May 2026, and it matters disproportionately for German Mittelstand IT teams and MSPs because OPNsense’s free, open-source model…
Read MoreSharePoint RCE CVE-2026-45659: Active Exploits
SharePoint RCE CVE-2026-45659 is now under active exploitation, and the federal patch deadline set by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is July 4 — tomorrow. The CVSS 8.8 deserialization flaw lets any authenticated user with nothing more than baseline Site Member permissions run code remotely on the server. Shadowserver currently counts more…
Read MoreSimpleHelp CVE-2026-48558 RMM Bypass Exploited
A critical SimpleHelp CVE-2026-48558 authentication bypass is letting attackers forge a login token and seize a fully authenticated technician session in the remote monitoring and management (RMM) software thousands of managed service providers use to run client networks. CISA added the flaw to its Known Exploited Vulnerabilities catalog on June 29, and researchers have already…
Read MorePTC Windchill RCE CVE-2026-12569: Web Shells Actively Deployed
The PTC Windchill RCE CVE-2026-12569 (CVSS 9.3) is actively exploited — and this is the second attack wave targeting the same product in three months. Attackers are deploying persistent JSP web shells inside Windchill PDMLink and FlexPLM installations right now. CISA added the flaw to its Known Exploited Vulnerabilities catalog on June 25, 2026; the…
Read MoreGreatXML — No Patch: BitLocker Bypass via WinRE Survives Incident Response
Your BitLocker-encrypted Windows devices may not be as protected as your NIS2 compliance report says. This week a researcher published GreatXML — a technique that achieves a SYSTEM-level shell with full access to a BitLocker-encrypted volume using nothing more than two XML files placed on the recovery partition. No patch exists. Microsoft is still assessing…
Read More
