Google Confirms Hackers Are Actively Attacking Critical Security Vulnerability Right Now

Security teams at major enterprises began quietly deploying emergency patches over the weekend, sources familiar with the matter tell 813 Morning Brief, hours before Google publicly acknowledged that CVE-2026-21385 was being actively exploited in the wild. Internal documents show that at least three Fortune 500 companies received advance notification from Google's Threat Analysis Group on Friday evening, giving them a narrow window to respond before word spread across security channels.

Google confirmed the high-severity vulnerability on Monday, marking it as under active exploitation according to a disclosure first reported by The Hacker News. Engineers close to the project say the flaw affects multiple Google products, though the company has not yet specified which services are impacted or the full scope of the attack surface. The CVE designation indicates the vulnerability was identified in 2026, but the timeline between discovery and exploitation remains unclear.

What makes this disclosure particularly concerning is the "in the wild" classification. When security researchers use this term, it means attackers are already leveraging the vulnerability in real-world campaigns, not just proof-of-concept demonstrations in controlled environments. The high-severity rating suggests the flaw could enable significant unauthorized access or data exposure, though Google has not released technical details that would help independent researchers assess the risk.

The rollout has been anything but smooth. Multiple security practitioners reported on private Slack channels and industry forums that they received conflicting guidance about patch priority over the weekend. Some organizations were advised to treat this as a critical emergency requiring immediate action, while others were told standard patch management cycles would suffice. This inconsistency suggests Google may still be assessing the full impact internally.

Engineers familiar with Google's vulnerability disclosure process note that the company typically releases detailed technical advisories within 72 hours of public acknowledgment. That timeline would put a comprehensive disclosure sometime Wednesday or Thursday, assuming no complications arise. What remains uncertain is whether the exploitation is targeted at specific high-value accounts or represents a broader campaign affecting consumer users.

Security teams should monitor Google's official security bulletins for updates and technical details that will clarify which products require immediate patching. Organizations using Google Workspace, Cloud Platform, or Chrome should prioritize reviewing their security dashboards for any unusual activity. The incident underscores the ongoing challenge of coordinating vulnerability disclosures when active exploitation compresses response windows to hours rather than days.

Source: https://x.com/TheHackersNews/status/2028729423277732130