Years-old Zero-day vulnerabilities uncovered: a new warning for businesses
- Evelyn Carter

- 1 hour ago
- 4 min read
Several recently disclosed critical security vulnerabilities show that long-standing source code can still conceal weaknesses capable of allowing attackers to escape virtual machines, gain root privileges, or execute code remotely. The new findings affect multiple platforms, ranging from Linux KVM, Android, and UniFi to PAN-OS, PHP, OpenSSH, and AI-integrated development tools.
Some vulnerabilities are believed to have remained undetected for 15 to 16 years before being discovered. This raises significant concerns for businesses that rely on open-source infrastructure, virtualization systems, and software components that have been used reliably for long periods.
A 16-year-old Linux KVM vulnerability could lead to virtual machine escape
One of the most notable findings is Januscape, tracked as CVE-2026-53359. The vulnerability exists in KVM’s Shadow MMU mechanism and is believed to have remained present for nearly 16 years.
According to the disclosed information, a malicious virtual machine could exploit Januscape to corrupt the kernel memory of the physical host. In a severe scenario, an attacker could escape the virtual machine environment and gain root privileges on the host.
The vulnerability was exploited as a zero-day during Google’s kvmCTF security competition before being publicly disclosed. Systems using both Intel and AMD processors may be affected.
For businesses that provide cloud services or operate virtual machines belonging to different entities on the same host, this is a particularly significant risk. A virtual machine escape vulnerability could break the isolation boundary that forms the security foundation of the entire virtualized environment.

GhostLock reveals a privilege escalation flaw dating back to 2011
Another critical vulnerability, named GhostLock and identified as CVE-2026-43499, was discovered in the Linux kernel’s real-time mutex system.
The flaw is believed to have been introduced in 2011 but remained undetected for more than a decade. GhostLock involves a dangling pointer vulnerability that allows an attacker to control the kernel’s execution flow and escalate privileges to root.
Critical vulnerabilities have also appeared across other platforms
In addition to Linux KVM, the latest warnings cover several other widely used products and platforms.
Within the Ubiquiti UniFi ecosystem, the vendor disclosed 25 vulnerabilities. The most notable is CVE-2026-50746, a command injection vulnerability with a CVSS score of 10.0 that can be exploited without authentication. Several other vulnerabilities involving SQL injection, server-side request forgery, or SSRF, and access control were also rated 9.9.
For Palo Alto Networks PAN-OS, CVE-2026-0288 could allow an unauthenticated attacker to remotely execute code or disrupt services on systems using an affected Terminal Server Agent configuration.
Two PHP vulnerabilities, CVE-2026-12184 and CVE-2026-14355, may cause denial of service or memory corruption. In certain cases, the vulnerabilities could cause PHP-FPM processes to stop operating, directly affecting the availability of web applications.
AI tools create a new attack surface
AI programming tools and assistants have also appeared in the latest security warnings.
A vulnerability named GhostApproval is believed to affect several tools, including Amazon Q, Claude Code, Cursor, Augment, Google Antigravity, and Windsurf. By exploiting how these tools process symbolic links, a malicious repository could bypass the approval step and write an attacker’s SSH key into a developer’s authorized_keys file.
What should businesses do in response to the new wave of vulnerabilities?
Organizations should prioritize checking whether their current environments use any affected products, versions, or configurations. Remediation should be based on actual exposure rather than CVSS scores alone.
Internet-facing systems, virtualization hosts, network management devices, and platforms that store authentication credentials should be placed in the highest-priority group.
Businesses should immediately take the following actions:
Apply patches or mitigation measures provided by vendors.
Inventory the Linux kernel, KVM, UniFi, PAN-OS, PHP, and OpenSSH versions currently in operation.
Restrict access to virtualization hosts and administrative interfaces.
Monitor privilege escalation activity, changes to authorized_keys files, and unusual administrator account behavior.
Disable or restrict the automatic command execution capabilities of AI assistants when they process untrusted repositories and documents.
Review logs for signs of exploitation that may have occurred before patches were installed.
What does IPSIP Vietnam’s expert perspective show?
What Can Businesses Implement Internally?
Businesses should standardize Asset Inventory, Patch Management, and Least Privilege practices across their entire Linux infrastructure. Hypervisors and container hosts should be segmented from user networks, administrative privileges should be restricted, untrusted workloads should be controlled, and comprehensive logs should be collected from the kernel, auditd, container runtimes, and virtual machine management systems.
Januscape and GhostLock show that critical weaknesses can remain present for extended periods even within widely used software components. Vietnamese businesses should not wait for evidence of widespread exploitation before taking action.
Which IPSIP Vietnam solutions are suitable?
For businesses that need to verify whether KVM configurations, local access privileges, or segmentation architectures could be exploited, Pentest services can simulate attack scenarios within an authorized scope and assess real-world impact rather than relying solely on automated scanning results. Following patching, businesses still need to monitor for signs of exploitation, privileged access, and unusual behavior on servers.

The 24/7 Security Operations Center can centralize data from servers, endpoints, firewalls, cloud environments, and XDR/SIEM platforms to support continuous detection, investigation, and response.
IPSIP Vietnam’s management and monitoring systems have successfully passed stringent assessments to achieve the ISO 27001:2022 and SOC 2 Type II international information security certifications. By providing core 24/7 services such as the 24/7 Security Operations Center, the 24/7 Network Operations Center, and an on-duty IT Support/Helpdesk team, IPSIP is committed to directly responding to and blocking intrusion attempts at any time of day or night.
References










Comments