Myth vs. Reality: What AI, Project Glasswing, and 48,000 CVEs Actually Mean for TPCRMJoin the Webinar
blog

FOCUS FRIDAY: TPRM Insights on Nginx Rift, Langflow, Jenkins, MongoDB, Litespeed Cpanel Plugin, SimpleHelp, and FortiBleed Breach

Published

Jun 18, 2026

Authors

Ferdi Gül

Contributors

Hakan Karabacak, Yavuz Han

In this article

In this article

See Black Kite in action

BOOK A DEMO

Introduction

This week's Focus Friday covers seven FocusTags® spanning foundational web infrastructure, AI orchestration platforms, CI/CD pipelines, NoSQL databases, web hosting control panels, remote management software, and breach intelligence tied to exposed edge infrastructure: the NGINX Rift Chain, Langflow's latest actively exploited path traversal, Jenkins core deserialization RCE, MongoDB's multi-vector vulnerability cluster, the LiteSpeed cPanel Plugin privilege escalation, a maximum-severity authentication bypass in SimpleHelp, and FortiBleed Breach. Two of this week's tags — LiteSpeed cPanel Plugin and SimpleHelp — involve confirmed active exploitation against deployed infrastructure, with the cPanel Plugin flaw now CISA KEV-listed. Three tags — NGINX, Langflow, and SimpleHelp — carry public proof-of-concept availability or confirmed threat actor tooling, making them particularly time-sensitive.

The NGINX Rift Chain is this week's headline vulnerability: a heap-based buffer overflow residing in NGINX's rewrite module for approximately 18 years, now disclosed with a public PoC, an EPSS of 14.45% — one of the highest in recent Focus Friday history — and confirmed use by the RIFT malware family in targeted exploitation. With an attack surface of tens of millions of NGINX deployments globally, this tag demands immediate configuration auditing and patching across the full vendor ecosystem. Alongside it, Langflow continues to accumulate exploitation pressure: this third Langflow FocusTag® in as many weeks covers an actively exploited path traversal flaw enabling unauthenticated RCE via cron job injection against the ~7,000 publicly exposed instances identified by Censys. The pattern of sustained adversary interest in Langflow — including prior MuddyWater campaigns — confirms that AI orchestration infrastructure represents an established, high-value attack surface. FortiBleed Breach adds a breach-driven signal to this week's vulnerability-heavy set, highlighting how exposed Fortinet environments can translate edge infrastructure weaknesses into confirmed compromise risk for vendor ecosystems.

For third-party risk management professionals, this week's portfolio reflects a threat environment defined by convergence: long-latent vulnerabilities suddenly made exploitable by public research, AI infrastructure continuing to accumulate critical security debt, remote management tools targeted for the privileged access they provide to managed endpoint fleets, and breach activity tied to exposed perimeter infrastructure. Black Kite's FocusTags® translate each of these signals into actionable vendor intelligence — enabling TPRM teams to prioritize engagement against the specific vendors in their ecosystem whose technology footprint intersects with this week's highest-urgency exposure.

Filtered view of vendors with NGINX Rift Chain FocusTag® on the Black Kite platform.

Filtered view of vendors with NGINX Rift Chain FocusTag® on the Black Kite platform.

NGINX Rift Chain (CVE-2026-42945, CVE-2026-46376)

What is this vulnerability?

CVE-2026-42945, named the "NGINX Rift" vulnerability, is a critical heap-based buffer overflow in NGINX's ngx_http_rewrite_module — a flaw that has existed in the codebase for approximately 18 years across all major NGINX Open Source and NGINX Plus versions. The vulnerability is triggered by a specific but realistic rewrite configuration pattern: a rewrite directive using unnamed PCRE capture groups (such as $1 or $2), where the replacement string contains a question mark and is followed by another rewrite, if, or set directive in the same scope. Under this condition, NGINX calculates the destination heap buffer size using one set of URI escaping assumptions, but then copies attacker-controlled URI data using a different escaping mode. Certain URI characters expand during the copy operation, causing data to be written beyond the allocated buffer boundary.

An unauthenticated remote attacker can send crafted HTTP requests to exploit this condition against the NGINX worker process. The public PoC demonstrates reliable heap corruption and achieves Remote Code Execution in environments where ASLR is disabled; the NVD advisory additionally notes that RCE is achievable when an attacker can bypass ASLR. Even when RCE is not attained, repeated triggering crashes NGINX worker processes, causing denial of service and service degradation. The RIFT malware family has been observed leveraging this vulnerability in targeted exploitation attempts. A public PoC repository is available. CVE-2026-42945 carries CVSS 9.2 and an EPSS of 14.45% — placing it in the top tier of actively exploited flaws globally. CVE-2026-46376 covers the associated secondary exposure. The vulnerability is not listed in the CISA KEV catalog at time of publication. Affected: NGINX Open Source 0.6.27–1.30.0; NGINX Plus R32–R36; NGINX Instance Manager 2.16.0–2.21.1; NGINX App Protect WAF, App Protect DoS, Gateway Fabric, and Ingress Controller across their respective affected ranges. Fixed in NGINX Open Source 1.31.0 and 1.30.1; NGINX Plus R36 P4, R35 P2, and R32 P6.

Why should TPRM professionals care?

NGINX is the world's most widely deployed web server and reverse proxy, sitting at the public-facing edge of enterprise infrastructure as the primary entry point for HTTP traffic into backend applications, APIs, and services. Its role as an ingress controller in Kubernetes environments, an API gateway in cloud-native architectures, and a WAF and DoS protection layer in F5-managed deployments means that a single exploitable NGINX instance controls traffic routing into the vendor's entire application estate. With an attack surface estimated in the tens of millions of deployments and an EPSS of 14.45%, this vulnerability is in a class of urgency that warrants immediate action regardless of whether patching has been communicated. The 18-year latency of the flaw means it affects every NGINX deployment built over nearly two decades of production history. The RIFT malware family's confirmed exploitation confirms that sophisticated adversaries are already operationalizing this vulnerability against real infrastructure. For TPRM professionals, any vendor running NGINX as a reverse proxy, API gateway, or Kubernetes ingress — particularly in configurations involving URL rewriting, legacy route migration, or API parameter forwarding — should be treated as potentially exposed until configuration review and patching are confirmed.

What questions should TPRM professionals ask vendors?

  1. Have all NGINX instances been upgraded to Open Source 1.31.0 or 1.30.1, or to NGINX Plus R36 P4, R35 P2, or R32 P6? For F5-managed products (App Protect WAF/DoS, Gateway Fabric, Ingress Controller), have the corresponding patched versions been applied?
  2. Have NGINX configuration files been audited for the vulnerable rewrite pattern — specifically, rewrite directives using unnamed PCRE captures ($1, $2) where the replacement string contains a question mark and is followed by another rewrite, if, or set directive in the same scope?
  3. Are NGINX instances running with ASLR enabled on the underlying Linux host? What kernel hardening controls are enforced to reduce the RCE exploitation reliability under the public PoC conditions?
  4. What monitoring exists on NGINX worker processes for anomalous crashes, core dumps, or segmentation faults that may indicate attempted heap corruption exploitation?
  5. For vendors embedding NGINX in third-party appliances, Kubernetes ingress controllers, or WAF products: have those embedded NGINX components been patched, and how is NGINX version tracking enforced in embedded deployments?

Remediation recommendations

  • Upgrade NGINX Open Source to version 1.31.0 or 1.30.1 immediately, and restart NGINX so worker processes reload the patched binary. For NGINX Plus, apply R36 P4, R35 P2, or R32 P6.
  • Audit all NGINX configuration files for the vulnerable rewrite pattern: unnamed PCRE captures ($1, $2) in rewrite rules where the replacement contains a question mark and is followed by rewrite, if, or set. Replace unnamed captures with named captures as a configuration hardening measure.
  • Verify ASLR is enabled on all NGINX host systems (check via /proc/sys/kernel/randomize_va_space — value should be 2) to materially reduce RCE exploit reliability.
  • For embedded NGINX in third-party products (Ingress Controller, Gateway Fabric, App Protect WAF/DoS), track the patched version releases from the respective vendors and apply updates as they become available.
  • Monitor NGINX worker process logs for anomalous restarts, crash loops, or unexpected core dumps — these are indicators of attempted exploitation even when RCE is not achieved.
  • Where immediate patching is not possible, implement upstream filtering or WAF rules targeting crafted URI patterns designed to trigger the buffer overflow, as a compensating control only.
Black Kite's NGINX Rift Chain FocusTag® details critical insights on the event for TPRM professionals.

Black Kite's NGINX Rift Chain FocusTag® details critical insights on the event for TPRM professionals.

FortiBleed

What is this threat?

The FortiBleed Campaign is a large-scale automated credential-stuffing operation targeting internet-exposed Fortinet firewalls and VPN gateways worldwide. Rather than exploiting a software vulnerability, attackers systematically identify publicly accessible Fortinet management and SSL VPN interfaces and attempt authentication using previously leaked credentials, default administrator accounts, and weak passwords.
The campaign targets Fortinet administrative and SSL VPN portals exposed on both standard and alternative ports, including 443, 4443, 8443, and 10443. Because the activity relies on credential abuse rather than software exploitation, no CVE has been assigned and the campaign is not listed in CISA's Known Exploited Vulnerabilities (KEV) Catalog.
Threat intelligence reporting indicates active exploitation by Russian-speaking threat actors, with particular focus on government, defense, and NATO-aligned organizations. Once administrative access is obtained, compromised devices can be used to collect additional credentials, monitor traffic, and establish persistent access, enabling continued unauthorized access across the affected environment.
This threat affects Fortinet firewalls and VPN gateways, primarily FortiGate devices, that expose management or SSL VPN interfaces directly to the public internet and rely on weak, default, reused, or previously compromised credentials. Risk is entirely dependent on configuration and credential hygiene rather than software version.

Why should TPRM professionals care?

Fortinet devices frequently serve as the security perimeter for enterprise networks and often provide administrative access to critical infrastructure, remote users, and third-party connectivity. A successful compromise of a vendor's Fortinet environment may provide attackers with privileged access to sensitive internal systems, VPN services, network traffic, and authentication infrastructure.

For TPRM professionals, vendors operating internet-exposed Fortinet appliances represent a significant third-party risk. A compromised Fortinet gateway can serve as an entry point into the vendor's environment, potentially exposing customer data, shared services, business communications, and interconnected systems. Because this campaign relies on credential abuse rather than software vulnerabilities, organizations may incorrectly assume they are protected simply because devices are fully patched.

The active nature of the campaign demonstrates that threat actors are continuously scanning the internet and testing stolen credentials against exposed Fortinet infrastructure. Vendors with poor credential management practices or publicly accessible administrative interfaces face elevated risk of compromise.

What questions should TPRM professionals ask vendors?

Have all Fortinet administrative and SSL VPN accounts been audited to identify default, weak, dormant, or unnecessary accounts?
Is Multi-Factor Authentication (MFA) enforced for all administrative users and SSL VPN users without exception?
Have administrative passwords and service account credentials been rotated recently, and are password reuse controls enforced?
Are Fortinet management interfaces accessible from the public internet, or are they restricted to trusted internal networks, VPN access, or authorized IP ranges?
Have firewall logs, authentication logs, and VPN session records been reviewed for evidence of unauthorized login attempts, credential-stuffing activity, or anomalous administrative access?
Have exposed Fortinet assets been identified through external attack surface monitoring to verify that management interfaces are not publicly accessible?

Remediation recommendations

  • Audit all administrative and VPN accounts immediately. Disable, rename, or remove default administrator accounts and review all privileged users for legitimacy.
  • Enforce Multi-Factor Authentication (MFA) across all Fortinet administrative portals and SSL VPN services.
  • Perform mandatory password resets for administrative accounts and service accounts. Ensure strong, unique credentials are used and verify that previously leaked credentials cannot be reused.
  • Restrict management interface exposure. Administrative access should not be available directly from the public internet and should be limited to trusted networks or approved IP allowlists.
  • Review firewall logs, authentication records, VPN sessions, and administrative activity for indicators of unauthorized access, credential-stuffing attempts, or suspicious login activity.
  • Continuously monitor internet-facing Fortinet infrastructure to identify newly exposed management interfaces and reduce future attack surface.

Langflow - Jun2026 (Latest) (CVE-2026-5027)

What is this vulnerability?

CVE-2026-5027 (CVSS 8.8, EPSS 2.29%) is a high-severity path traversal vulnerability (CWE-22) in Langflow's file upload endpoint: POST /api/v2/files. The upload_user_file() function in the backend fails to sanitize the filename parameter supplied in multipart form data, allowing an attacker to embed directory traversal sequences (../) to write arbitrary files to any location accessible to the Langflow server process on the host filesystem. The exploitation barrier is effectively zero in default deployments: Langflow enables unauthenticated auto-login by default, which allows an attacker to obtain a valid session token with a single HTTP request before chaining into the file write primitive — no credentials of any kind are required.

The path from arbitrary file write to full Remote Code Execution is straightforward: writing a malicious payload to a cron job directory such as /etc/cron.d/ or overwriting application configuration files escalates the file write to code execution under the Langflow process's system privileges. The vulnerability was discovered by Tenable (advisory TRA-2026-26) and disclosed publicly on March 27, 2026 following three failed responsible disclosure attempts. VulnCheck has since confirmed active exploitation in the wild, with honeypots detecting threat actors already writing test files to vulnerable Langflow instances at time of disclosure. A public PoC is available. Censys identifies approximately 7,000 publicly exposed instances globally; Shodan detects ~358 versioned instances across known affected releases. This is the fourth Langflow CVE in this tag cluster, joining CVE-2026-0770, CVE-2026-33017, and CVE-2025-34291 — the last of which was weaponized by the MuddyWater threat group. Affected versions: Langflow up to 1.8.4 and langflow-base below 0.8.3. Fully patched in Langflow 1.10.0 (released June 10, 2026). Not listed in CISA KEV; listed in the EU Vulnerability Database as EUVD-2026-16668.

Why should TPRM professionals care?

This is the third consecutive Focus Friday covering a critical Langflow vulnerability, and each new disclosure reinforces the same conclusion: Langflow is an actively targeted platform with a demonstrated history of high-severity security debt. The combination of confirmed active exploitation, ~7,000 publicly exposed instances, a public PoC, and prior MuddyWater campaign activity confirms that Langflow is an established target within the advanced persistent threat landscape — not an opportunistic or theoretical risk. CVE-2026-5027's zero-credential exploitation path means that any vendor running an internet-exposed Langflow instance at version 1.8.4 or earlier is trivially compromisable with a single crafted HTTP request. Langflow's position as an AI orchestration hub — typically connected to LLM APIs, vector databases, cloud provider credentials, and sensitive data pipelines — amplifies the blast radius substantially: a successful compromise does not merely expose the application host but potentially all AI workflows, connected API keys, and data processed through the platform. For TPRM professionals, any vendor operating Langflow must be confirmed as running version 1.10.0 and with auto-login disabled — a specific, verifiable remediation state.

What questions should TPRM professionals ask vendors?

  1. Have all Langflow deployments been upgraded to version 1.10.0 (released June 10, 2026)? If still on 1.8.4 or earlier, what is the confirmed remediation timeline and what interim controls have been applied?
  2. Has the default auto-login configuration been disabled across all Langflow instances, requiring authentication for all API access including the /api/v2/files endpoint?
  3. Have all Langflow instances been placed behind a VPN or firewall, eliminating direct public internet accessibility? Given ~7,000 exposed instances, any publicly reachable Langflow deployment should be treated as an emergency remediation priority.
  4. Has the server filesystem been inspected for unauthorized files — specifically in cron directories (/etc/cron.d/, /var/spool/cron/) and application configuration paths — that may have been written via CVE-2026-5027 exploitation prior to patching?
  5. Have application logs been reviewed for malformed or anomalous POST requests to /api/v2/files containing directory traversal sequences (../, %2e%2e%2f, or encoded variants)?

Remediation recommendations

  • Upgrade all Langflow deployments to version 1.10.0 immediately — this is the fully patched release. As an interim minimum baseline if immediate upgrade is not possible, target Langflow 1.9.0 / langflow-base 0.8.3.
  • Disable Langflow's default auto-login configuration immediately — this single configuration change eliminates the unauthenticated exploitation path for any instance that cannot be patched without delay.
  • Restrict all Langflow instances to trusted internal network ranges or VPN-gated access; eliminate any direct public internet exposure.
  • Conduct a targeted filesystem hunt for unauthorized files in cron directories and configuration paths; treat any unexpected files as indicators of prior compromise requiring full forensic investigation.
  • Review web server and application logs for POST requests to /api/v2/files with traversal sequences; correlate with unexpected process executions, outbound connections, or new cron job entries following any identified exploitation window.
Black Kite's Langflow - Jun2026 (Latest) FocusTag® details critical insights on the event for TPRM professionals.

Black Kite's Langflow - Jun2026 (Latest) FocusTag® details critical insights on the event for TPRM professionals.

Jenkins - Jun2026 (CVE-2026-53435, CVE-2026-53441)

What is this vulnerability?

Two high-severity vulnerabilities were disclosed by the Jenkins security team as part of the June 10, 2026 Jenkins Security Advisory affecting Jenkins core. CVE-2026-53435 (CVSS 8.8, EPSS 0.37%) is the primary threat: a deserialization vulnerability enabling user impersonation, arbitrary file reads, and Remote Code Execution via the Jenkins Script Console. Jenkins employs a custom deserialization filter (JEP-200) and restricts HTTP routing via the Stapler web framework to plugin-defined annotated types. In Jenkins 2.567 and earlier / LTS 2.555.2 and earlier, an attacker can submit a crafted config.xml that causes Jenkins to deserialize arbitrary types within the allowed set in a manner that subsequently enables those deserialized objects to handle HTTP requests.

The exploitation chain is multi-stage: by routing HTTP requests through deserialized objects, an attacker can impersonate any Jenkins user including administrators, invoke the Jenkins Script Console to execute arbitrary Groovy code on the controller host, and read arbitrary files from the Jenkins controller filesystem — including stored credentials, SSH keys, and environment configuration. The entry condition is a low-privilege Jenkins account with Overall/Read permission combined with any one of: a non-anonymous user account, Item/Configure, View/Configure, or Agent/Configure permission — a threshold routinely met by developer and operator accounts. CVE-2026-53441 (CVSS 8.0) is a stored Cross-Site Scripting vulnerability: since Jenkins 2.483, node offline cause descriptions are rendered as HTML. The user-supplied description submitted via the POST config.xml API is not escaped, allowing any user with Agent/Configure permission to inject persistent XSS payloads that execute in the browser of any Jenkins user who views the affected node's status. Approximately 36,673 Jenkins instances are detectable on Shodan running affected version ranges. No public PoC; not in CISA KEV. Fixed in Jenkins 2.568 (weekly) and LTS 2.555.3.

Why should TPRM professionals care?

Jenkins is the backbone of CI/CD infrastructure across enterprise software development organizations — it controls the build, test, and deployment pipeline for applications, infrastructure automation, and cloud provisioning. The Jenkins credentials store typically holds the highest-concentration repository of secrets in the development environment: cloud provider API keys, container registry credentials, SSH private keys for production servers, database passwords, and signing certificates. CVE-2026-53435's exploitation chain — from a low-privilege developer account to arbitrary Groovy code execution on the controller with full access to the credentials store — represents a direct path to the vendor's complete production deployment infrastructure. For TPRM professionals, a compromised Jenkins controller at a vendor does not merely expose that vendor's internal systems; it exposes every cloud environment, API, and service that the vendor deploys to — including potentially the services processing your organization's data. CVE-2026-53441's stored XSS compounds this: a persistent payload in the Jenkins dashboard executing in administrator sessions enables credential harvest at the highest privilege level without requiring direct API exploitation.

What questions should TPRM professionals ask vendors?

  1. Have all Jenkins instances been upgraded to version 2.568 (weekly) or LTS 2.555.3, released June 10, 2026? What is the verified installed version and patch timeline for any unpatched instances?
  2. Have Jenkins user accounts been audited for the minimum permission set required to exploit CVE-2026-53435 — specifically Overall/Read combined with any of Item/Configure, View/Configure, or Agent/Configure? What RBAC controls restrict config.xml POST permissions?
  3. Have Jenkins controller audit logs been reviewed for anomalous config.xml POST requests from low-privileged accounts, unexpected Script Console executions, or unauthorized file access patterns that may indicate prior exploitation?
  4. Have all registered node offline cause descriptions been reviewed for HTML or JavaScript payloads injected via CVE-2026-53441? Have all Jenkins agent node configurations been audited post-advisory?
  5. Is the Jenkins controller accessible only from trusted internal network ranges, or is it directly reachable from the public internet? What perimeter controls restrict access to the Jenkins UI and API endpoints?

Remediation recommendations

  • Upgrade all Jenkins instances to Jenkins 2.568 (weekly) or Jenkins LTS 2.555.3 immediately — these are the only releases that fully address both CVE-2026-53435 and CVE-2026-53441.
  • Audit all Jenkins user roles and apply strict RBAC via the Role Strategy Plugin or Matrix Authorization Strategy; restrict Item/Configure, View/Configure, Agent/Configure, and config.xml POST access to the minimum required population.
  • Inspect Jenkins controller audit logs for anomalous config.xml POST requests from low-privileged accounts, unexpected Script Console invocations, or file read activity from unexpected system paths — treat any positive findings as indicators of compromise requiring full credentials rotation.
  • Audit all node offline cause descriptions for injected HTML/JavaScript content; remove any suspicious payloads immediately and confirm that post-patch rendering is plain text.
  • Ensure the Jenkins controller is not directly internet-accessible; place it behind a VPN or restrict access to trusted IP ranges as a defense-in-depth control.
Black Kite's Jenkins - Jun2026 FocusTag® details critical insights on the event for TPRM professionals.

Black Kite's Jenkins - Jun2026 FocusTag® details critical insights on the event for TPRM professionals.

MongoDB - Jun2026 (CVE-2026-11933, CVE-2026-9740, CVE-2026-9750, CVE-2026-9743)

What is this vulnerability?

Four high-severity vulnerabilities were identified across MongoDB Server branches 7.0, 8.0, 8.2, and 8.3, spanning a threat surface that includes memory corruption, unauthenticated Denial of Service, data integrity compromise, and aggregation pipeline crashes. CVE-2026-11933 (CVSS 8.7, EPSS 0.34%) is a use-after-free in MongoDB Server's server-side JavaScript engine: during BSON-to-JavaScript array conversion, an authenticated user with read privileges invoking $where or $function operators can trigger access to previously freed memory. Successful exploitation may disclose sensitive data from the mongod process memory — including in-memory query results, cached documents, and session-resident credential material — or cause a server crash.

CVE-2026-9740 (CVSS 8.7, EPSS 0.27%) is the most broadly exploitable flaw: an unauthenticated infinite recursion Denial of Service in BSON validation logic. A specially crafted BSON message triggers uncontrolled mutual recursion between validation functions, where each invocation silently resets internal depth tracking and prevents the server from detecting the runaway recursion. The result is a mongod process crash with zero credentials required — making this trivially weaponizable against any internet-exposed MongoDB instance. CVE-2026-9750 (CVSS 7.1, EPSS 0.30%) introduces internal metadata corruption via insufficient separation between user-controlled document fields and MongoDB's internal query processing metadata, potentially causing the server to return incorrect query results — a silent data integrity failure dangerous in production environments. CVE-2026-9743 (CVSS 7.1, EPSS 0.24%) is a null pointer dereference in aggregation pipeline processing: an authenticated user can trigger a server crash via a crafted aggregation query followed by a getMore call on the same cursor. Approximately 46,077 MongoDB instances are detectable on Shodan running affected versions. No public PoC; not in CISA KEV. Fixed in MongoDB Server 8.0.26, 8.2.11, and 8.3.4 (with corresponding 7.0.x maintenance updates).

Why should TPRM professionals care?

MongoDB is the primary data store for a broad class of modern applications — from e-commerce and FinTech platforms to content management systems, IoT data pipelines, and cloud-native SaaS applications. CVE-2026-9740's unauthenticated DoS path means that any vendor with an internet-exposed MongoDB instance can have their database service crashed by any external actor with network reach and a single crafted packet — with no credentials required. For TPRM professionals, this represents a trivial availability attack vector against vendor production databases, with direct consequences for service continuity and data accessibility. CVE-2026-11933's use-after-free in the JavaScript engine is operationally dangerous in a different dimension: authenticated database users — including developer accounts, reporting service accounts, or any account with read access — can potentially extract in-memory data from co-resident database operations, including cached credentials, query results, or session material from other users' operations. CVE-2026-9750's silent incorrect query results introduce a data integrity risk that is particularly difficult to detect — applications may consume incorrect query output and propagate errors into downstream business logic without any immediate indication of compromise.

What questions should TPRM professionals ask vendors?

  1. Have all MongoDB Server instances been upgraded to the patched release for the deployed branch — 8.0.26 for the 8.0.x branch, 8.2.11 for the 8.2.x branch, or 8.3.4 for the 8.3.x branch? For 7.0.x deployments, have the corresponding maintenance updates been applied?
  2. Given CVE-2026-9740's unauthenticated attack path: are any MongoDB instances accessible from the public internet or untrusted networks? Have firewall rules been verified to restrict MongoDB port access (default TCP 27017) to authorized application server IP ranges only?
  3. Is server-side JavaScript execution ($where and $function operators) enabled in your MongoDB deployment? If not operationally required, has security.javascriptEnabled been set to false to eliminate the CVE-2026-11933 exploitation path?
  4. Have MongoDB logs been reviewed for unexpected server crashes, segmentation faults, or process terminations that may indicate active exploitation of the DoS-class vulnerabilities prior to patching?
  5. What application-layer validation exists to detect anomalous query results that may indicate CVE-2026-9750 metadata corruption? Are critical MongoDB query outputs validated against secondary consistency checks in the application logic?

Remediation recommendations

  • Upgrade all MongoDB Server instances to 8.0.26, 8.2.11, or 8.3.4 (with corresponding 7.0.x maintenance releases) immediately. Confirm the installed version post-upgrade via db.version() in the MongoDB shell.
  • Enforce network-level firewall rules restricting MongoDB port access (TCP 27017) to authorized application server IP ranges only; eliminate any direct public internet exposure — particularly critical given CVE-2026-9740's unauthenticated attack surface.
  • If $where and $function operators are not operationally required, set security.javascriptEnabled: false in mongod.conf immediately as an interim mitigation for CVE-2026-11933 pending patching.
  • Review MongoDB audit logs (mongod.log) for unexpected crashes, segmentation faults, and anomalous $where or $function invocations from low-privileged read accounts.
  • Audit aggregation pipeline access permissions — restrict aggregation execution to accounts that operationally require it, reducing the exploitable population for CVE-2026-9743.
Black Kite's MongoDB - Jun2026 FocusTag® details critical insights on the event for TPRM professionals.

Black Kite's MongoDB - Jun2026 FocusTag® details critical insights on the event for TPRM professionals.

LiteSpeed cPanel Plugin (CVE-2026-54420)

What is this vulnerability?

CVE-2026-54420 (CVSS 8.5, EPSS 0.65%) is a high-severity privilege escalation vulnerability in the LiteSpeed user-end cPanel Plugin — a widely deployed component that integrates LiteSpeed Web Server capabilities with the cPanel/WHM hosting control panel ecosystem used across shared hosting infrastructure globally. The flaw allows an attacker with FTP access or web shell access to a shared hosting account — the lowest possible access tier, routinely available to shared hosting customers — to escalate privileges directly to root on servers running CloudLinux/CageFS. CloudLinux/CageFS is the standard tenant isolation architecture in multi-tenant shared hosting environments, deployed specifically to prevent hosting customers from accessing each other's files or the host system. This vulnerability completely nullifies that isolation guarantee.

The exploitation technique is specific and automatable: attackers chain generateEcCert and packageUserSize API calls concurrently at high volume (7–10 concurrent requests per attempt from a single source IP). This concurrency pattern exploits a race condition or improper privilege boundary in the plugin's API processing. The vulnerability was reported to LiteSpeed by the security team at Namecheap, patched on June 1, 2026, and added to CISA's Known Exploited Vulnerabilities catalog on June 15, 2026, confirming active in-the-wild exploitation. No public PoC is available. The LiteSpeed WHM plugin itself is not affected — only the user-end cPanel plugin. Affects all versions prior to 2.4.8. Fixed in LiteSpeed WHM Plugin v5.3.2.1 bundled with cPanel plugin v2.4.8.

Why should TPRM professionals care?

Shared hosting infrastructure underpins a significant portion of the web presence of small and medium businesses, e-commerce vendors, and managed service providers operating cost-effective hosting environments for their customers. A root-level privilege escalation from a shared hosting FTP account means that any compromised tenant account on an affected server — or any threat actor who purchases a hosting account — can take over the entire server and every other hosted account on it. For TPRM professionals, vendors operating as hosting providers or MSPs with shared hosting infrastructure represent a particularly high-consequence risk profile under this vulnerability: one compromised or malicious shared tenant can access every other customer's files, databases, and email data on that server. The CISA KEV listing confirms that adversaries are actively weaponizing this capability against real hosting infrastructure. Vendors who rely on shared LiteSpeed/cPanel hosting for their web infrastructure — whether directly or through upstream hosting providers — should confirm that their hosting environment has been patched against CVE-2026-54420.

What questions should TPRM professionals ask vendors?

  1. Has the LiteSpeed WHM Plugin been upgraded to v5.3.2.1 (bundling cPanel plugin v2.4.8) on all affected shared hosting servers? What is the verification method used to confirm the patched release is active?
  2. Has the vendor-provided exploitation detection command been executed on all affected servers to determine whether active exploitation occurred prior to patching? (Command: grep -rE 'cpanel_jsonapi_func=(generateEcCert|packageUserSize)|cert_action_entry .*geneccert' /usr/local/cpanel/logs/ /var/cpanel/logs/)
  3. For any server where the detection command returned positive results: has a full incident response been initiated, including credentials rotation for all hosted accounts and forensic review of all tenant data?
  4. Have system-level audit logs been reviewed for unexpected root-level process executions, new user account creations, SSH key additions, or cron job modifications coinciding with the exploitation window?
  5. For vendors operating as hosting providers or MSPs: have all customer-hosting customers whose data resided on affected servers been notified of the potential exposure?

Remediation recommendations

  • Upgrade to LiteSpeed WHM Plugin v5.3.2.1 immediately by running the vendor-provided update command: wget -O- https://litespeedtech.com/packages/cpanel/lsws_whm_plugin_install.sh | sh. Confirm the installed version post-upgrade.
  • If patching cannot be performed immediately, uninstall the user-end cPanel plugin entirely using: /usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall. Reinstall only after upgrading to the patched version.
  • Run the vendor-provided exploitation detection grep command immediately on all affected servers; treat any positive results as confirmed compromise requiring full incident response — credential rotation, forensic review, and customer notification.
  • Review system-level audit logs for root-level process anomalies, new user accounts, SSH key additions, and cron job modifications that correlate with the exploitation timeframe.
  • Given the CISA KEV listing and active exploitation, federal agencies must remediate by the applicable KEV deadline; all other organizations should treat this as a critical incident-response priority.
Black Kite's LiteSpeed cPanel Plugin FocusTag® details critical insights on the event for TPRM professionals.

Black Kite's LiteSpeed cPanel Plugin FocusTag® details critical insights on the event for TPRM professionals.

SimpleHelp - Jun2026 (CVE-2026-48558)

What is this vulnerability?

CVE-2026-48558 (CVSS 9.5, EPSS 0.63%) is a critical authentication bypass vulnerability in SimpleHelp remote management software when configured with OpenID Connect (OIDC) authentication. The flaw resides in the single sign-on mechanism: identity tokens submitted during login are accepted without verifying their cryptographic signatures. An unauthenticated remote attacker can forge arbitrary OIDC tokens, submit them as legitimate authentication credentials, and obtain a fully authenticated technician session — bypassing all authentication controls without requiring any prior credentials or knowledge of existing account details.

The bypass also defeats Multi-Factor Authentication protections: newly registered technician accounts are permitted to self-register their own MFA credentials on first login, meaning an attacker who obtains a forged authenticated session can immediately enroll their own MFA device and establish persistent access. Threat actors are actively exploiting this vulnerability to hijack remote endpoints and execute arbitrary administrative commands or scripts across managed endpoint fleets. Horizon3.ai has released an official vulnerability disclosure and indicators of compromise guide to assist in detecting active exploitation. No public PoC has been published. CVE-2026-48558 is not listed in the CISA KEV catalog at time of publication but carries confirmed active exploitation. Listed in the EU Vulnerability Database as EUVD-2026-36509. Affects SimpleHelp 5.5.0 through 5.5.15 and 6.0 pre-release builds prior to RC2. Fixed in the latest patched releases per the vendor advisory.

Why should TPRM professionals care?

SimpleHelp is a remote support and management platform — a category of software that carries enterprise-grade privileged access to the managed endpoint fleet by design. Technician accounts in SimpleHelp can execute scripts, initiate remote sessions, access files, and perform administrative actions on every endpoint under management. An authentication bypass that grants an external attacker full technician-level access is effectively an unrestricted remote access credential to every device the vendor manages through SimpleHelp. For TPRM professionals, vendors operating SimpleHelp for internal IT management, managed services delivery, or customer endpoint support represent a direct lateral movement risk: a compromised SimpleHelp instance provides persistent, privileged access to the vendor's entire managed device landscape, including any endpoints processing your organization's data or operating within shared service environments. The confirmed active exploitation and MFA self-registration bypass mean that adversaries are actively establishing persistent footholds in vulnerable SimpleHelp instances right now, with the additional capability to lock out legitimate administrators by enrolling attacker-controlled MFA devices on hijacked sessions.

What questions should TPRM professionals ask vendors?

  1. Have all SimpleHelp instances been upgraded to the patched release addressing CVE-2026-48558? What is the confirmed installed version and remediation timeline for any unpatched instances?
  2. Has the SimpleHelp technician account list been audited for unauthorized accounts — particularly accounts with self-registered MFA credentials created by unfamiliar sessions? Have any such accounts been immediately suspended and investigated?
  3. Have SimpleHelp session logs been reviewed against the Horizon3.ai indicators of compromise to determine whether active exploitation occurred prior to patching?
  4. If immediate patching is not feasible, has OIDC authentication been temporarily disabled and reverted to local directory authentication with pre-enrolled MFA credentials to eliminate the CVE-2026-48558 attack surface?
  5. What network controls restrict access to the SimpleHelp management interface? Is it accessible only from trusted technician IP ranges, or is it reachable from untrusted external networks?

Remediation recommendations

  • Apply the official SimpleHelp patches immediately — upgrade all public-facing and internal SimpleHelp instances to the latest release containing the OIDC authentication signature verification fix.
  • Audit all SimpleHelp technician accounts immediately; suspend any account whose creation cannot be verified as authorized, particularly those with self-registered MFA credentials or sessions originating from unexpected source IPs.
  • Run a log review against the Horizon3.ai IoC guide for CVE-2026-48558 to determine whether exploitation occurred prior to patching; treat any confirmed exploitation as a full incident requiring forensic investigation of all managed endpoints.
  •  If patching cannot be performed immediately, disable OIDC authentication entirely and revert to local directory authentication with pre-enrolled MFA credentials as an interim control eliminating the authentication bypass surface.
  • Restrict SimpleHelp management interface access to trusted technician IP ranges via firewall rules; eliminate any direct public internet exposure of the management interface.
Black Kite's SimpleHelp - Jun2026 FocusTag® details critical insights on the event for TPRM professionals.

Black Kite's SimpleHelp - Jun2026 FocusTag® details critical insights on the event for TPRM professionals.

How TPRM Professionals Can Leverage Black Kite for These Vulnerabilities

This week's seven FocusTags® surface a pattern that TPRM professionals must track across the evolving threat landscape: the compounding of legacy vulnerability debt, exposed management surfaces, and accelerating adversary tooling. The NGINX Rift Chain is the clearest example — an 18-year-old flaw that existed invisibly across the entire NGINX ecosystem until a public PoC and malware family confirmation transformed it into an immediately actionable risk. Langflow's third consecutive high-severity CVE demonstrates that sustained adversary interest in a single platform creates compounding risk: vendors who deferred patching prior Langflow CVEs now face a new actively exploited flaw, while vendors who did patch must now confirm they reached version 1.10.0 specifically, not merely a prior patch release. FortiBleed Breach adds another critical dimension to this week's risk landscape: confirmed breach activity tied to exposed Fortinet environments, where vulnerable edge infrastructure can provide attackers with durable access into vendor networks and create downstream third-party risk for customers relying on those vendors.

SimpleHelp and LiteSpeed cPanel Plugin represent a category of exposure that TPRM programs traditionally miss: remote management and hosting platform vulnerabilities that carry disproportionate access implications but appear nowhere in standard technology disclosures or questionnaire responses. Black Kite's FocusTags® address each of these dimensions simultaneously. Rather than requiring TPRM teams to maintain parallel monitoring streams for web server CVE advisories, AI platform security bulletins, CI/CD security advisories, hosting control panel vulnerabilities, and breach intelligence tied to edge infrastructure, FocusTags® consolidate the weekly threat signal into vendor-specific, actionable exposure data. For the NGINX Rift Chain, this means identifying which vendors in the portfolio are running affected NGINX configurations — not just affected versions — enabling a targeted, technically precise conversation about rewrite configuration patterns rather than a generic patch compliance inquiry. For Jenkins, it means identifying vendors whose CI/CD infrastructure hosts the credentials that control production deployment — a risk dimension that standard vulnerability questionnaires never reach. For FortiBleed Breach, it means helping TPRM teams prioritize vendors where confirmed breach activity and exposed Fortinet infrastructure may indicate elevated compromise risk beyond ordinary patch management.

The operational compounding of this week's seven tags further illustrates FocusTags®' value at scale. Organizations managing large vendor ecosystems would otherwise face seven parallel outreach campaigns across distinct technology categories, each requiring specialized technical knowledge to formulate meaningful remediation requests. FocusTags® enable TPRM teams to consolidate this into a single, vendor-prioritized intelligence layer — ensuring that the vendors carrying the highest concurrent exposure across multiple tags receive the most urgent engagement, while those with single-tag exposure are queued efficiently behind them.

Strengthening TPRM Outcomes with Black Kite’s FocusTags®

Black Kite's FocusTag® technology provides TPRM teams with the intelligence infrastructure needed to keep pace with an accelerating threat landscape. By automatically correlating newly disclosed vulnerabilities with the technology profiles of vendors in your ecosystem, Black Kite transforms reactive patch tracking into proactive vendor risk management.

  • Instant Vendor Exposure Mapping: FocusTags® automatically identify which vendors in your portfolio are running affected products, eliminating the manual effort of mapping CVEs to vendor technology inventories across large, complex third-party ecosystems.
  • Precision-Targeted Remediation Requests: Each FocusTag® includes specific, technically grounded vendor questions — moving beyond generic patch status inquiries to version-specific, control-specific questions that surface genuine remediation versus compliance theater.
  • Continuous Risk Score Integration: FocusTag® exposure feeds directly into Black Kite's vendor risk scores, ensuring that critical vulnerability exposure is immediately reflected in your third-party risk ratings without waiting for the next scheduled assessment cycle.
  • Operational Efficiency at Scale: By consolidating multi-product vulnerability intelligence into a single prioritized view, FocusTags® enable TPRM teams to manage concurrent threat events across diverse technology categories without scaling headcount — ensuring risk teams operate at the speed of the threat landscape.

By transforming raw cyber threat data into precise, actionable intelligence, Black Kite's FocusTags® provide TPRM professionals with the exact tools needed to efficiently and effectively secure the digital supply chain against today's most sophisticated attacks.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags® in the Last 30 Days:

  • NGINX Rift Chain : CVE-2026-42945, CVE-2026-46376, Critical Heap-Based Buffer Overflow and Remote Code Execution Vulnerability in NGINX ngx_http_rewrite_module.
  • FortiBleed Breach: Active exploitation of Fortinet vulnerabilities has led to confirmed breach activity, enabling attackers to compromise exposed Fortinet environments and creating significant third-party risk for affected organizations.
  • Langflow - Jun2026 (Latest): CVE-2026-5027, High-Severity Path Traversal and Unauthenticated Remote Code Execution Vulnerability in Langflow.
  • Jenkins - Jun2026 : CVE-2026-53435, CVE-2026-53441, High-Severity Deserialization Type Bypass, User Impersonation, Arbitrary File Read, Script Console Remote Code Execution, and Stored XSS Vulnerabilities in Jenkins.
  • MongoDB - Jun2026 : CVE-2026-11933, CVE-2026-9740, CVE-2026-9750, CVE-2026-9743, High-Severity Use-After-Free Memory Disclosure, Unauthenticated Denial of Service, Metadata Corruption, and Null Pointer Dereference Vulnerabilities in MongoDB.
  • LiteSpeed cPanel Plugin : CVE-2026-54420, High-Severity Privilege Escalation to Root Vulnerability in LiteSpeed cPanel Plugin.
  • SimpleHelp - Jun2026 : CVE-2026-48558, Critical OIDC Authentication Bypass and Administrative Account Takeover Vulnerability in SimpleHelp.
  • Automatic Tank Gauge (ATG) Systems : Critical Internet-Exposed Automatic Tank Gauge Systems Enabling Unauthenticated Remote Command Execution.
  • LiteLLM : CVE-2026-42271, High-Severity Authenticated Command Execution Vulnerability in LiteLLM AI Proxy Server.
  • Ivanti EPMM - Jun2026 : CVE-2026-6973, CVE-2026-10727, High-Severity Remote Code Execution and OS Command Injection Vulnerabilities in Ivanti Endpoint Manager Mobile.
  • Exchange Server - Jun2026 : CVE-2026-45504, CVE-2026-45503, CVE-2026-47631, CVE-2026-45583, CVE-2026-45501, CVE-2026-45500, CVE-2026-45502, High-Severity Privilege Escalation, SSRF, Spoofing, Remote Code Execution, and Information Disclosure Vulnerabilities in Microsoft Exchange Server.
  • SharePoint - Jun2026 : CVE-2026-45484, CVE-2026-47298, CVE-2026-47634, CVE-2026-45481, CVE-2026-45454, High-Severity Privilege Escalation, Remote Code Execution, Spoofing, and Path Traversal Vulnerabilities in Microsoft SharePoint.
  • MariaDB - Jun2026 : CVE-2026-49261, CVE-2026-48165, CVE-2026-48163, Critical and High-Severity Remote Code Execution, Authentication Bypass, and Server-Side Vulnerabilities in MariaDB Community Server.
  • SolarWinds Serv-U - Jun2026 : CVE-2026-28318, High-Severity Uncontrolled Resource Consumption Vulnerability in SolarWinds Serv-U.
  • Samba - Jun2026 : CVE-2026-4480, CVE-2026-4408, CVE-2026-1933, CVE-2026-3012, CVE-2026-3238, CVE-2026-2340, Critical and High-Severity Vulnerabilities including Remote Code Execution and Access Control Bypass in Samba.
  • Roundcube - Jun2026 : CVE-2026-48842, CVE-2026-48844, CVE-2026-48848, CVE-2026-48845, CVE-2026-48846, Five High-Severity Vulnerabilities including SQL Injection, Server-Side Code Injection (RCE), and XSS in Roundcube Webmail. Langflow - Jun2026 : CVE-2026-7524, CVE-2026-48519, Two Critical-Severity Vulnerabilities including Path Traversal and Remote Code Execution in Langflow OSS.
  • Axios - Jun2026 : CVE-2026-44492, CVE-2026-44494, Two High-Severity Vulnerabilities including SSRF via NO_PROXY Bypass and Prototype Pollution in Axios.
  • ActiveMQ - Jun2026 : CVE-2026-45505, CVE-2026-42588, CVE-2026-49157, CVE-2026-42253, High-Severity Vulnerabilities including Remote Code Execution, Incorrect Permissions, and XSS in Apache ActiveMQ.
  • Apache Solr - Jun2026 : CVE-2026-44825, Critical Hardcoded and Default Credentials Vulnerability in Apache Solr.
  • Apache Airflow - Jun2026 : CVE-2026-45360, High-Severity Arbitrary Class Import Vulnerability in Apache Airflow.
  • Plesk - Jun2026 : CVE-2026-44962, Near-Maximum-Severity Chained XPath and OS Command Injection Vulnerability in Plesk.
  • Synology DSM Chat Server - Jun2026 : CVE-2026-40541, CVE-2026-32998, CVE-2026-32997, CVE-2026-32996, CVE-2026-9548, CVE-2026-9491, Critical and High-Severity Vulnerabilities including Remote Code Execution and Arbitrary File Access in Synology Chat Server.
  • Langflow - May2026 : CVE-2025-34291, Critical CORS/CSRF and Remote Code Execution Vulnerabilities in Langflow.
  • FreeBSD - May2026 : CVE-2026-45255, CVE-2026-45250, CVE-2026-45251, CVE-2026-45252, CVE-2026-39461, CVE-2026-45254, CVE-2026-45253, Critical and High-Severity Remote Code Execution, Kernel Privilege Escalation, Sandboxing Breaches, and Network Denial of Service Vulnerabilities in FreeBSD core OS.
  • Memcached - May2026 : CVE-2026-47783, CVE-2026-47784, High-Severity SASL Authentication Timing Side-Channel Vulnerabilities in Memcached.
  • Exchange Server - May2026 : CVE-2026-42897, High-Severity Cross-Site Scripting (XSS) Vulnerability in Outlook Web Access (OWA).
  • NGINX - May2026 : Critical Memory Corruption and Remote Code Execution Vulnerability in Nginx.
  • OpenClaw - May2026 : CVE-2026-44112, CVE-2026-44113, CVE-2026-44115, CVE-2026-44118, Critical Sandbox Escape, Sensitive Data Exfiltration, Privilege Escalation, and Persistent Backdoor Installation Vulnerabilities in OpenClaw.

See Black Kite's full CVE Database and the critical TPRM vulnerabilities that have an applied  FocusTags® at https://blackkite.com/cve-database.

References

https://depthfirst.com/research/nginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability

 https://nvd.nist.gov/vuln/detail/CVE-2026-42945

https://my.f5.com/manage/s/article/K000161019

https://github.com/DepthFirstDisclosures/Nginx-Rift

https://www.cve.org/CVERecord?id=CVE-2026-5027
https://nvd.nist.gov/vuln/detail/CVE-2026-5027
https://www.tenable.com/security/research/tra-2026-26
https://orca.security/resources/blog/cve-2026-5027-langflow-path-traversal-rce/
https://www.cve.org/CVERecord?id=CVE-2026-53435
https://www.cve.org/CVERecord?id=CVE-2026-53441
https://www.jenkins.io/security/advisory/2026-06-10/
https://www.cve.org/CVERecord?id=CVE-2026-11933
https://www.cve.org/CVERecord?id=CVE-2026-9740
https://www.cve.org/CVERecord?id=CVE-2026-9750
https://www.cve.org/CVERecord?id=CVE-2026-9743
https://securityonline.info/mongodb-server-vulnerability/
https://jira.mongodb.org/browse/SERVER-125063
https://www.cve.org/CVERecord?id=CVE-2026-54420
https://blog.litespeedtech.com/2026/06/01/security-update-for-litespeed-cpanel-plugin-2/
https://securityonline.info/simplehelp-authentication-bypass/
https://nvd.nist.gov/vuln/detail/CVE-2026-48558
https://www.cve.org/CVERecord?id=CVE-2026-48558
https://github.com/advisories/GHSA-m93h-gjv2-fmq2