< ciso
brief />
Tag Banner

All news with #active exploitation tag

684 articles · page 11 of 35

China-linked Storm-1175 Uses Zero-Days to Deploy Medusa

🔒 China-linked threat actor Storm-1175 has been observed exploiting a mix of zero-day and N-day flaws to quickly compromise internet-facing systems and deploy Medusa ransomware. Microsoft reports the group moves with high operational tempo, chaining exploits and abusing legitimate RMM tools to evade detection. Targets include healthcare, education, professional services and finance across Australia, the UK and the US. Intrusions often lead to rapid data exfiltration and encryption within days, sometimes under 24 hours.
read more →

Active Exploitation of Critical Flowise RCE (CVE-2025-59528)

🔴 New findings show threat actors are actively exploiting a maximum-severity code injection flaw in Flowise (CVE-2025-59528) that can lead to remote code execution. The issue stems from the CustomMCP node executing user-supplied JavaScript in the mcpServerConfig string, granting access to sensitive Node.js modules and full runtime privileges. Flowise released a fix in the npm package v3.0.6; affected deployments should upgrade immediately. VulnCheck reports exploitation activity originating from a single Starlink IP and warns of 12,000+ internet-exposed instances.
read more →

Microsoft: Medusa Affiliate Storm-1175 Uses Zero-Day

🛡️ Microsoft says the China-based, financially motivated threat group Storm-1175, an affiliate that deploys Medusa ransomware, has been rapidly weaponizing n-day and zero-day vulnerabilities to gain access and move to data exfiltration and encryption within days, sometimes within 24 hours. Microsoft observed the operators chaining exploits to create accounts, deploy remote management tools, steal credentials, and disable security controls before dropping ransomware, with recent victims across healthcare, education, professional services, and finance in Australia, the United Kingdom, and the United States.
read more →

CISA Orders Feds to Patch Fortinet EMS Zero-Day Urgently

⚠️ CISA has ordered federal agencies to patch FortiClient EMS instances by April 9 after the discovery of CVE-2026-35616, a pre-authentication API access bypass. Fortinet released emergency hotfixes and said unauthenticated attackers can execute code via specially crafted requests. Administrators are urged to apply hotfixes or upgrade to 7.4.7 immediately to mitigate active exploitation.
read more →

Storm-1175 Targets Vulnerable Web-Facing Assets with Medusa

🔒Storm-1175 conducts high-tempo ransomware campaigns that rapidly weaponize recently disclosed and, in some cases, pre-disclosure zero-day vulnerabilities to gain initial access to web-facing systems. After exploitation the actor moves quickly to establish persistence, perform credential theft, tamper with security controls, and exfiltrate data before deploying Medusa ransomware. Microsoft observed intrusions affecting healthcare, education, professional services, and finance across Australia, the United Kingdom, and the United States, often completing impact within days or less. Recommended defenses include perimeter asset discovery, robust patching, RMM hardening, and tamper protection for endpoint security.
read more →

CISA Adds New KEV Entry for Fortinet FortiClient EMS

⚠ CISA has added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-35616, an Improper Access Control flaw affecting Fortinet FortiClient EMS. The agency reports evidence of active exploitation and highlights that this vulnerability class is a common attack vector posing significant risks to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV items by their due dates, and CISA urges all organizations to prioritize timely remediation.
read more →

Emergency Patch for FortiClient EMS Zero-Day Exploit

⚠️ Fortinet released an emergency weekend hotfix to address a critical pre-authentication flaw in FortiClient EMS (CVE-2026-35616) that is being actively exploited in the wild. The improper access control defect allows unauthenticated attackers to execute commands via specially crafted API requests and affects versions 7.4.5 and 7.4.6. Fortinet urges immediate installation of the hotfixes or upgrading to 7.4.7 when available. Shadowserver reports over 2,000 exposed EMS instances, primarily in the US and Germany.
read more →

Automated Credential Theft via React2Shell in Next.js

🔒 Cisco Talos reports attackers are exploiting React2Shell (CVE-2025-55182) in vulnerable Next.js applications to run an automated credential-harvesting campaign. The operation uses a framework called NEXUS Listener and deploys scripts into standard temporary directories to extract environment secrets, SSH keys, cloud tokens, API keys, and command histories. Researchers observed at least 766 hosts compromised across multiple cloud providers, with sensitive data exfiltrated in chunks to a C2 server over HTTP. Administrators should apply React2Shell patches, rotate exposed credentials immediately, enforce IMDSv2, enable secret scanning, and deploy WAF/RASP protections and least-privilege controls.
read more →

Fortinet issues hotfix for actively exploited FortiClient EMS

🔧 Fortinet has released an out‑of‑band hotfix for a critical pre‑authentication API access bypass in FortiClient EMS (CVE-2026-35616, CVSS 9.1) that has been observed exploited in the wild. The flaw allows unauthenticated attackers to bypass API authentication and authorization protections and execute commands on affected systems, impacting versions 7.4.5–7.4.6. Fortinet urges immediate installation of the hotfix and says a full remediation will be included in 7.4.7.
read more →

React2Shell exposure reveals large-scale credential theft

🔍 Researchers at Cisco Talos discovered that an apparent security lapse exposed the backend of a campaign exploiting the four-month-old React2Shell (CVE-2025-55182) Next.js flaw. A password-protected database and web application holding harvested credentials, tokens, SSH keys, and API secrets was briefly accessible, letting analysts view the attackers' dashboard. The automated campaign compromised hundreds of hosts in a single day and prompted notifications to affected providers while urging immediate patching.
read more →

CISA Adds One Known-Exploited Vulnerability to KEV Catalog

⚠️ CISA has added CVE-2026-3502 to its Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation. The vulnerability affects the TrueConf client and permits downloaded code to be executed without an integrity check, increasing the risk that attackers can deliver tampered or malicious payloads. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by the required deadline; CISA strongly urges all organizations to prioritize timely remediation and strengthen routine vulnerability management.
read more →

14,000+ F5 BIG-IP APM Instances Exposed to RCE Attacks

⚠️ Shadowserver reports over 14,000 Internet-exposed BIG-IP APM instances remain vulnerable to CVE-2025-53521 after the flaw was reclassified from DoS to remote code execution. F5 confirmed the reclassification and warned that attackers are exploiting unpatched systems with access policies on virtual servers. F5 and CISA have published IOCs and mitigation guidance, and F5 recommends rebuilding compromised devices from known-good sources.
read more →

STARDUST CHOLLIMA Likely Compromises Axios npm Package

🔒 On March 31, 2026, threat actors used stolen maintainer credentials to compromise the widely used Axios npm package and distribute platform-specific variants of the ZshBucket implant. Observed samples target Linux, macOS and Windows and retain prior profiling and exfiltration behavior while adding a common JSON messaging protocol. The updated implants support binary injection, arbitrary script execution, file system enumeration and remote termination. CrowdStrike attributes the activity to STARDUST CHOLLIMA with moderate confidence based on ZshBucket linkage and infrastructure overlaps.
read more →

Claude-assisted discovery: Vim and Emacs file-open RCE

🛡️ Researcher Hung Nguyen used the Claude assistant to locate remote code execution flaws in Vim and GNU Emacs that can trigger simply by opening a crafted file. Claude produced multiple refined proof‑of‑concept exploits and suggested mitigations. Vim was patched in Vim 9.2.0272, while the Emacs issue remains unpatched because maintainers attribute the root cause to Git's core.fsmonitor behavior; users should avoid opening untrusted files.
read more →

Axios npm Compromised: Malicious Releases Deployed RAT

🚨 Attackers compromised the npm account of Axios' lead maintainer and pushed trojanized releases that install a cross-platform remote access trojan on developer machines. The malicious versions axios@1.14.1 and axios@0.30.4 pulled a staged dependency plain-crypto-js@4.2.1 containing a postinstall dropper. Multiple security vendors detected the packages within minutes and npm removed them within two to three hours, but the short window was enough to affect many environments.
read more →

Critical RCE in F5 BIG-IP APM Originally Labeled DoS

⚠️ Five-month-old F5 BIG-IP APM flaw initially classified as a denial-of-service is now confirmed as a pre-authentication remote code execution vulnerability (CVE-2025-53521) being exploited in the wild. F5 updated its advisory, raised the CVSS to 9.8, and CISA added the issue to its KEV catalog after reports of active exploitation and observed root‑level malware persistence. Affected versions include 15.1.x, 16.1.x, 17.1.x and 17.5.x; F5 has released fixes, IOCs, and hardening guidance, but organizations should patch immediately and perform compromise assessments rather than rely solely on backups.
read more →

Axios npm Account Compromised to Deliver Cross-Platform RATs

⚠️ Hackers hijacked the npm account for Axios, a widely used JavaScript HTTP client, to publish two malicious releases on March 31, 2026. The attacker added a trojanized dependency (plain-crypto-js@^4.2.1) that runs a post-install dropper (setup.js) which fetches OS-specific RATs from a C2 server. The payloads target Windows, macOS, and Linux and include persistence and evasion techniques, while the dropper attempts to erase traces and restore a clean package.json after infection.
read more →

TrueConf Update Zero-Day Used to Deliver Malware at Scale

🛠️ Check Point Research identified a zero-day (CVE-2026-3502, CVSS 7.8) in the TrueConf client update mechanism that was abused to deliver malware via legitimate software updates. Exploitation was observed in the wild targeting government entities in Southeast Asia and required no phishing or prior compromise. The attack chain culminated with deployment of Havoc, a powerful post-exploitation framework, and the vendor released a remediation after disclosure.
read more →

NCSC Urges Immediate Patching of Critical F5 BIG-IP Flaw

⚠️ The UK’s NCSC is urging organisations to immediately patch a critical vulnerability in F5 BIG-IP Access Policy Manager (APM) tracked as CVE-2025-53521, which is under active exploitation and can enable remote code execution when an APM access policy is configured on a virtual server. F5 has reclassified the issue from a denial‑of‑service to RCE with a revised CVSS of 9.8 after new information, and CISA has added it to its KEV catalog with a mandated federal patch deadline. Customers should follow F5’s incident‑handling and forensic guidance, isolate or rebuild affected systems, and report suspected compromises to the NCSC.
read more →

CISA Orders Federal Agencies to Patch Citrix Flaw Urgently

⚠️ CISA has ordered federal agencies to patch Citrix NetScaler appliances for CVE-2026-3055 by Thursday, April 2, after vendors warned the flaw is being actively exploited. The vulnerability arises from insufficient input validation in ADC and Gateway appliances configured as SAML identity providers and can enable unauthenticated attackers to steal admin session IDs and other sensitive information. Watchtowr reported in-the-wild abuse days after Citrix released fixes on March 23, and CISA has added the issue to its KEV Catalog and invoked BOD 22-01.
read more →