2026年5月17日の
セキュリティ情報

Subject: [Security Alert] Vulnerability in WordPress Funnel Builder Plugin

Dear Team,

We are sharing information regarding a critical vulnerability in the Funnel Builder plugin for WordPress/WooCommerce.

■ Overview
Attackers are actively exploiting a flaw in the Funnel Builder plugin to inject e-skimming code into checkout pages. By inserting malicious scripts into the "External Scripts" setting, they can steal sensitive payment data, including credit card numbers and CVVs.

■ Scope
- Affected Product: Funnel Builder by FunnelKit

■ Mitigation Steps
1. Update the Funnel Builder plugin to the latest secure version immediately.
2. Review the "External Scripts" settings within the plugin for any unauthorized or suspicious entries.
3. Audit checkout pages for the presence of unauthorized JavaScript injections.

■ Reference
- Sansec Research Report

Priority: High
Deadline: Immediate

Subject: [Security Alert] Microsoft Exchange Server CVE-2026-42897 and Supply Chain Threats

Dear Team,

This is a technical update regarding several critical threats reported in the latest Security Affairs newsletter.

■ Overview
Active exploitation of a Microsoft Exchange Server zero-day (CVE-2026-42897) has been confirmed and added to CISA's KEV catalog. Additionally, a supply chain attack targeting OpenAI via malicious TanStack packages and new long-term access tools developed by APT Turla have been identified.

■ Scope
- Microsoft Exchange Server installations
- Development environments utilizing TanStack libraries
- Ukrainian government entities (targeted by Ghostwriter)

■ Action Plan
1. Immediately apply the latest security patches for Microsoft Exchange Server.
2. Audit software dependencies for any malicious versions of TanStack or other third-party packages.
3. Monitor CISA's KEV catalog for newly added vulnerabilities requiring urgent remediation.

■ Reference
- CISA KEV Catalog
- Microsoft Security Response Center (MSRC)

Priority: High
Deadline: Immediate

Subject: [Info] Privilege Escalation Vulnerability Report in Azure Backup for AKS

Hi all,

This is a technical update regarding a reported vulnerability in Azure Backup for AKS.

■ Overview
A security researcher has disclosed a flaw where a user with the low-privileged "Backup Contributor" role could escalate privileges to "cluster-admin". While Microsoft has rejected the report and blocked the CVE issuance, claiming the behavior is expected, the researcher suggests a silent patch has been implemented.

■ Scope
- Environments utilizing Azure Backup for AKS

■ Recommended Actions
1. Review Azure RBAC assignments to ensure the "Backup Contributor" role is not over-provisioned.
2. Enforce the principle of least privilege (PoLP) across your AKS clusters.

■ Reference
- BleepingComputer article

Priority: Medium
Deadline: Next scheduled permission review

Subject: [Technical Alert] WAF Bypass via High-bit Truncation (Ghost Bits) in Java

Dear Team,

We are sharing information regarding a WAF bypass technique known as "Ghost Bits" affecting Java-based environments.

■ Overview
This technique exploits the data loss that occurs during the conversion between Java's 16-bit char and 8-bit byte types. Attackers can craft payloads that appear benign to the WAF but are interpreted as malicious characters by the backend application. This is demonstrated in relation to CVE-2025-41242.

■ Scope
- Java-based WAF solutions
- Web applications utilizing Java for input validation and normalization

■ Mitigation Steps
1. Identify and update Java-based WAFs and application frameworks to the latest patched versions.
2. Review input normalization logic to ensure that type casting does not introduce vulnerabilities.

■ Reference
- CVE-2025-41242

Priority: High
Deadline: Immediate review

Subject: [Info] Zero-Day Vulnerabilities Disclosed at Pwn2Own Berlin 2026

Dear team,

This is a notification regarding the vulnerabilities disclosed during Pwn2Own Berlin 2026.

■ Overview
A total of 47 unique zero-day vulnerabilities were demonstrated. Notably, a successful attack chain was used to compromise Microsoft SharePoint. Other targeted platforms included VMware ESXi, Windows 11, Red Hat Enterprise Linux, and OpenAI Codex.

■ Scope
- Microsoft SharePoint
- VMware ESXi
- Windows 11
- Red Hat Enterprise Linux
- OpenAI Codex

■ Action Plan
1. Monitor official vendor advisories for detailed vulnerability information and patches.
2. Apply security updates as soon as they become available.

■ Reference
- ZDI (Zero Day Initiative) official announcements

Priority: Medium
Deadline: As soon as patches are released