05/27/2026-06/03/2026 Critical Oracle WebLogic Vulnerability, Critical Gogs RCE Vulnerability, Critical FortiClient EMS Flaw And More.

1. CISA Warns of Active Exploitation of Critical Oracle WebLogic Vulnerability

CISA has ordered federal agencies to secure systems affected by CVE-2024-21182, a critical Oracle WebLogic Server vulnerability now being actively exploited. The flaw impacts WebLogic versions 12.2.1.4.0 and 14.1.1.0.0 and can be exploited remotely without authentication, potentially allowing attackers to access sensitive data, execute malicious code, escalate privileges, and compromise enterprise infrastructure.

CISA added the vulnerability to its KEV Catalog and requires federal agencies to patch or mitigate affected systems by June 4 under Binding Operational Directive 22-01. Despite Oracle releasing fixes in 2024, over 1,500 internet-facing WebLogic servers remain vulnerable. WebLogic remains a frequent target for ransomware groups, espionage actors, and other cybercriminals due to its widespread use in critical sectors. CISA is urging organizations to apply updates immediately, restrict internet exposure, monitor systems for suspicious activity, and conduct security assessments to reduce risk.

2. Critical Gogs RCE Vulnerability Lets Any Authenticated User Execute Arbitrary Code

A critical remote code execution (RCE) vulnerability has been discovered in Gogs, a self-hosted Git service, scoring 9.4 on the CVSS scale. No CVE has been assigned, and it remains unpatched despite being reported to maintainers on March 17, 2026. The flaw lets any authenticated user execute arbitrary code by creating a pull request with a malicious branch name that injects the --exec flag into git rebase during a merge operation. No admin privileges or interaction with other users is required — an attacker simply needs an account and a repository on a default-configured instance.

Successful exploitation could allow an attacker to breach the server, access all hosted repositories, dump credentials, move laterally across the network, and read other users’ private repositories.

Until a patch is available, administrators should restrict user registration and repository creation in app.ini, and audit rebase merge settings. Rapid7 has published a Metasploit module automating the full exploit chain against Linux and Windows targets.

3. Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer

Hackers are exploiting a critical authentication bypass flaw (CVE-2026-35616) in Fortinet’s FortiClient Enterprise Management Server (EMS) to deploy a previously undocumented credential stealer dubbed EKZ. The vulnerability allows unauthenticated attackers to execute arbitrary code via specially crafted requests.

Fortinet released emergency hotfixes in early April, and CISA ordered federal agencies to patch immediately. At the time, roughly 2,000 internet-exposed EMS instances were identified. In observed attacks, threat actors abuse endpoint APIs to perform unauthenticated administrative actions, modify VPN policies, and inject malicious scripts. Once an IPsec tunnel is established, legitimate FortiClient components silently execute PowerShell payloads that download EKZ disguised as a Fortinet update and exfiltrate harvested data over HTTP.

EKZ targets Chromium and Firefox browsers, stealing credentials, credit card details, cookies, and more. Defenders should watch for certificate-authentication anomalies, unexpected Remote Access Profile changes, and administrative actions originating from Tor or VPS IP addresses. Arctic Wolf’s report provides detailed detection guidance.

4. Malicious npm Package Stole Files From Claude AI User Directory via GitHub

A new malicious package, “mouse5212-super-formatter,” has been discovered on npm with data-stealing capabilities. It targets “/mnt/user-data,” a directory used by Anthropic’s Claude AI tool. Dubbed Malware-Slop, the malware disguises itself as a sync utility but actually authenticates to GitHub—using either a stolen token or a hard-coded fallback—and uploads all local files to an attacker-controlled account. Stolen files are stored in random folders to differentiate theft sessions. Fake network logs help hide its true behavior.

The package remains available on npm, with an estimated 676 downloads. The associated GitHub account, created on May 26, 2026, is now gone. Notably, the malware leaked its own private token, suggesting the attacker used AI to generate code without proper operational security. As OX Security warns, the lowered bar for creating malware means more sloppy, copycat threats will emerge until platforms like npm automatically block malicious packages.