Defender Zero-Day and Cisco CVSS 10.0 Lead Patch Wave

CISA adds five legacy Microsoft flaws to KEV alongside a new Defender zero-day, as Cisco and WordPress platforms face critical unauthenticated RCEs. CISA elevated CVE-2008-4250 (MS08-067), CVE-2010-0806, CVE-2010-0249, CVE-2009-3459, and CVE-2009-1537 to its Known Exploited Vulnerabilities catalog — all ancient but still weaponized in ongoing campaigns. More urgently, Microsoft confirmed active exploitation of CVE-2026-41091, a privilege-escalation flaw in Microsoft Defender that allows an authorized attacker to elevate privileges via improper link resolution. As BleepingComputer reported, this is part of a pair of Defender zero-days (alongside CVE-2026-45498) that Microsoft dubbed "UnDefend" and "RedSun" in internal tracking. Help Net Security notes that exploitation chains combine the two flaws to achieve full system compromise from a low-privilege foothold. The KEV additions underscore how attackers continue to weaponize decades-old worms like Conficker-era MS08-067 alongside modern zero-days.

Cisco Secure Workload ships a CVSS 10.0 unauthenticated REST API flaw that grants Site Admin privileges to any remote attacker. CVE-2026-20223 carries a perfect severity score and requires no authentication, no user interaction, and no special network position to exploit. As The Register put it, Cisco "serves up yet another perfect 10 bug" — the vulnerability lives in the access validation of internal REST APIs, allowing an unauthenticated attacker to assume the Site Admin role. The Hacker News reports that Cisco has released patches but no workarounds exist. Given Secure Workload's role in data-center segmentation and zero-trust enforcement, a full admin compromise of the management plane could let attackers rewire network policy, exfiltrate telemetry, and move laterally across monitored workloads. Organizations running Secure Workload should treat this as an emergency-patch priority.

Two Trend Micro Apex One management console flaws (CVE-2025-71210, CVE-2025-71211) enable unauthenticated remote code execution with CVSS 9.8 ratings. Both vulnerabilities allow an attacker to upload malicious code and execute commands on affected installations through the management console. Trend Micro has noted that while these carry a technical critical severity, exploitation requires the management console to be exposed to the internet — a configuration Trend Micro advises against. However, as with similar enterprise endpoint-management consoles, many organizations expose these interfaces for remote administration. The two flaws are similar in scope but affect different components within the console. Given Apex One's deployment across large enterprise fleets, a successful compromise of the management console would give attackers a beachhead to push malicious policies or binaries to every managed endpoint.

Over one million WordPress sites are at risk from an unauthenticated RCE in the Avada Builder plugin (CVE-2026-6279), alongside critical flaws in Divi Form Builder and Gift Cards for WooCommerce Pro. CVE-2026-6279 carries a CVSS 9.8 and affects Avada Builder versions up to 3.15.2, with Wordfence reporting over a million active installations. The vulnerability stems from PHP function injection via the wp_conditional_tags case in Fusion_Builder_Dynamic_CSS, enabling unauthenticated attackers to execute arbitrary PHP code. Separately, CVE-2026-5118 in the Divi Form Builder plugin (up to 5.1.2) allows privilege escalation by accepting a user-controlled 'role' parameter during registration, and CVE-2026-45444 in Gift Cards For WooCommerce Pro (up to 4.2.6) enables unrestricted file upload of dangerous file types. The WordPress ecosystem continues to be the single largest attack surface for unauthenticated RCE, and these three plugins alone represent millions of potential targets.

Altium 365, NVIDIA Triton Inference Server, and Netatalk disclose critical flaws spanning missing authentication, heap overflows, and insecure deserialization. CVE-2026-9152 in Altium 365's SearchService exposes a legacy SOAP endpoint that requires no authentication for search index operations — an unauthenticated attacker can read, modify, or delete indexed data. CVE-2026-24207 in NVIDIA Triton Inference Server enables authentication bypass that could lead to code execution and data tampering, a significant concern given Triton's deployment in AI/ML production pipelines. CVE-2026-44050 in Netatalk (versions 2.0.0 through 4.4.2) is a heap-based buffer overflow in the CNID daemon's comm_rcv() function that allows a remote authenticated attacker to execute arbitrary code with escalated privileges. Meanwhile, CVE-2026-31072 in APScheduler (all versions including 3.10.x and 4.0.0a5) enables RCE via insecure deserialization in JSONSerializer and CBORSerializer — a supply-chain risk for any Python application using this popular task scheduler.

Taiko AG1000 SMS Alert Gateways ship with hard-coded credentials and authentication bypass, exposing critical infrastructure to full device takeover. CVE-2026-9139 reveals that authentication in the embedded web interface is implemented entirely in client-side JavaScript in login.zhtml, exposing hard-coded credentials that any network-level attacker can extract. CVE-2026-9141 provides an authentication bypass allowing unauthenticated attackers to access internal application pages without any session. The AG1000-01A is used for SMS-based alerting in industrial and telecom environments, meaning a compromised gateway could be used to intercept or spoof alerts, or as a pivot point into OT networks. Both flaws affect Rev 7.3 and Rev 8 firmware, and no patch has been announced — organizations using these devices should isolate them immediately behind strict network access controls.