By SAFE Threat Research Team
This week’s vulnerability exploitation activity is concentrated on systems that provide attackers with useful leverage: security appliances, network controllers, observability platforms, and widely deployed web components. These are high-value targets because compromise can extend beyond a single application, creating broader access, control, or visibility across an environment.
Fortinet FortiSandbox, Cisco Catalyst SD-WAN Manager, and Splunk Enterprise sit at the center of this pattern, with risks ranging from command execution to authentication bypass. Several of these CVEs carry high exploitation signals.
Vulnerability Landscape
Trending Vulnerabilities
Eight CVEs moved into focus this week based on confirmed exploitation signals. Each one is a pre-existing vulnerability, which points to unresolved exposure across systems that may still be reachable or insufficiently patched.
Top CVEs to Watch
Splunk Enterprise: unauthenticated file manipulation vulnerability under active exploitation (CVE-2026-20253)
CVE-2026-20253 is a critical vulnerability in Splunk Enterprise, versions below 10.2.4 and 10.0.7, where an unauthenticated user can create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. This weakness arises from missing authentication controls, giving attackers opportunities to manipulate files on the affected systems, potentially leading to operational disruptions or the staging of additional payloads.
The vulnerability is actively exploited, and CISA has listed it in the Known Exploited Vulnerabilities catalog. To mitigate this risk, organizations should upgrade to Splunk Enterprise 10.2.4 or higher. If immediate upgrading is infeasible, disabling the PostgreSQL sidecar service can reduce exposure.
Fortinet FortiSandbox: Active Exploitation of Command Injection Vulnerabilities (CVE-2026-25089, CVE-2026-39813, CVE-2026-39808)
Several critical vulnerabilities have been identified in Fortinet’s FortiSandbox, specifically CVE-2026-25089, CVE-2026-39813, and CVE-2026-39808. These vulnerabilities result from improper neutralization of special elements in OS commands, enabling unauthenticated attackers to execute remote commands via crafted HTTP requests.
Currently, these vulnerabilities are actively exploited by cyber criminals, posing a significant risk to network security. In response, Fortinet has released patches, which should be applied to all affected versions: 5.0.0 to 5.0.5 and 4.4.0 to 4.4.8. Enterprises are urged to update their systems and limit exposure until fixes are applied.
Cisco Catalyst SD-WAN Manager Under Active Exploitation (CVE-2026-20262)
Cisco has announced that an actively exploited vulnerability in Catalyst SD-WAN Manager (CVE-2026-20262) allows authenticated remote attackers to create or overwrite files, eventually leading to elevated root privileges. Exploitation is facilitated by user input flaws during file upload, enabling attackers to execute arbitrary commands. The critical flaw affects various deployments, including on-prem, cloud, and government systems. Cisco’s Product Security Incident Response Team urges administrators to implement immediate mitigations as directed in the Cisco advisory, available on Cisco’s security page.
LiteSpeed cPanel Plugin: UNIX Symlink Vulnerability Impact and Mitigation (CVE-2026-54420)
CVE-2026-54420 affects the LiteSpeed cPanel plugin before version 2.4.8 and the LiteSpeed WHM Plugin before version 5.3.2.0. The flaw abuses UNIX symlink handling in CloudLinux and CageFS environments, allowing an attacker with FTP or web shell access to escalate impact beyond the initially compromised account.
The vulnerability is known to be exploited in the wild, making it a priority for shared hosting providers. Update the LiteSpeed cPanel plugin to 2.4.8 or later, upgrade the LiteSpeed WHM Plugin to 5.3.2.0 or later, and validate symlink isolation controls across affected servers.
Joomla Content Editor: unauthenticated code execution vulnerability under active exploitation (CVE-2026-48907)
CVE-2026-48907 poses a critical risk to Joomla Content Editor (JCE) installations by allowing unauthenticated users to exploit improper access controls. This flaw permits the creation of new editor profiles, enabling arbitrary code execution through PHP uploads. Versions from 1.0.0 through 2.9.99.4 are vulnerable; a patch is available starting with version 2.9.99.6. It’s crucial for users to upgrade immediately to mitigate exposure, given that active exploitation has been confirmed with publicly available exploit code and automated attacks.
Active Exploitation of Gravity SMTP Plugin Vulnerability (CVE-2026-4020)
The Gravity SMTP WordPress plugin, up to version 2.1.4, contains a critical vulnerability (CVE-2026-4020) that permits unauthenticated attackers to access a REST API endpoint. By manipulating the gravitysmtp-settings query parameter, malicious actors can retrieve extensive system configuration data, including API keys and authentication tokens, which are critical for securing email functionalities and other integrated services. Despite a patch being available since March 2026, many instances of the plugin remain unpatched, leaving over 100,000 sites exposed. Administrators are urged to update Gravity SMTP to the latest version immediately.
Critical vulnerability in Oracle Coherence (CVE-2026-35307)
CVE-2026-35307 identifies a critical vulnerability within Oracle Coherence, a component of Oracle Fusion Middleware, affecting versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0. The flaw allows an unauthenticated attacker with network access to execute a complete system takeover via HTTP, drastically compromising confidentiality, integrity, and availability. Despite the absence of in-the-wild exploitation signal, the pre-exploitation risk signals indicate that vigilance is necessary.
What Security Teams Should Prioritize
- Move confirmed exploitation cases to the front of the queue. Prioritize Splunk Enterprise, Fortinet FortiSandbox, Cisco Catalyst SD-WAN Manager, LiteSpeed cPanel Plugin, Joomla Content Editor, and Gravity SMTP where the affected systems are exposed, business-critical, or difficult to isolate.
- Reduce reachability while patching is in progress. Restrict access to management interfaces, disable non-essential services such as vulnerable sidecar components, limit plugin and API exposure, and enforce trusted network access wherever immediate patching is not possible.
- Look for signs of post-exploitation, not just vulnerable versions. For Joomla Content Editor and Gravity SMTP, patching alone may not be enough if attackers have already created profiles, uploaded PHP files, or accessed sensitive configuration data. Review logs, scan for unexpected files, and rotate exposed keys or tokens.
- Treat shared and managed infrastructure as higher blast-radius environments. LiteSpeed cPanel Plugin and ProxySQL issues can have a broader impact when they sit in hosting, multi-tenant, or database routing environments. Validate isolation controls, source-address handling, and access boundaries.
For teams managing large vulnerability backlogs, the value is in knowing what should move first.
SAFE CTEM helps bring exploitability, exposure, and business context into that decision.
