< ciso
brief />
Tag Banner

All news with #active exploitation tag

684 articles · page 12 of 35

Axios Supply Chain Attack Pushes Cross-Platform RAT

⚠️ The popular HTTP client Axios was compromised after attackers published poisoned npm releases that introduced a malicious dependency, plain-crypto-js@4.2.1. The injected package executes an obfuscated postinstall dropper that fetches platform-specific RAT payloads for macOS, Windows and Linux. The actor used a compromised maintainer account to push axios@1.14.1 and axios@0.30.4, bypassing CI/CD. Users who installed those releases should assume compromise and follow remediation guidance.
read more →

Critical SQL Injection in Fortinet EMS Actively Exploited

⚠️ A critical SQL injection, CVE-2026-21643, is being actively exploited against FortiClient EMS, allowing unauthenticated attackers to execute arbitrary SQL via crafted HTTP requests. The flaw affects EMS 7.4.4 when multi-tenant mode is enabled; Fortinet released 7.4.5 to remediate. Researchers note the endpoint returns database error messages and lacks lockout protections, enabling rapid data extraction and credential theft. Administrators should patch immediately, remove internet exposure, and inspect HTTP headers for anomalous SQL.
read more →

Critical Citrix NetScaler Memory Flaw Actively Exploited

🔒 Citrix disclosed a critical memory overread vulnerability, CVE-2026-3055, in NetScaler ADC and NetScaler Gateway appliances that is being actively exploited to obtain sensitive data. The vendor says the issue affects on-prem appliances configured as a SAML identity provider and impacts versions before 14.1-60.58 and specified older 13.1 builds. Security researchers at watchTowr observed reconnaissance and confirmed exploitation from at least March 27 that can leak authenticated administrative session IDs, potentially enabling full appliance takeover. Administrators should prioritise immediate patching, isolate affected systems, and apply mitigation guidance from the vendor and security teams.
read more →

Weekly Recap: Telecom Sleeper Cells, LLM Jailbreaks

⚡ This weekly recap highlights long-running operations reaching courtrooms, renewed exploitation of legacy techniques, and practical LLM jailbreak research that reduces theoretical risk to operational reality. Notable incidents include active exploitation of a critical Citrix NetScaler flaw (CVE-2026-3055), stealthy telecom kernel implants attributed to Red Menshen, and a GlassWorm campaign delivering a malicious Chrome extension for credential and session theft. The briefing urges immediate patching, layered defenses, and adversarial testing of AI controls while noting regulatory moves such as the FCC router ban and Apple’s U.K. age-verification changes.
read more →

Critical F5 BIG-IP APM Flaw Reclassified as RCE; Patch Now

⚠️F5 Networks has reclassified a previously patched BIG-IP APM denial-of-service flaw (CVE-2025-53521) as a critical remote code execution vulnerability after evidence of active exploitation. Attackers are deploying webshells on unpatched devices that have access policies configured on virtual servers. F5 and CISA have published advisories and IOCs and are urging immediate patching, forensic checks of disks, logs, and terminal history, and adherence to incident-handling policies.
read more →

Critical Citrix NetScaler SAML IDP Memory Leak Exploit

⚠️ A critical out-of-bounds read vulnerability (CVE-2026-3055), disclosed by Citrix on March 23, is being actively exploited against NetScaler ADC and NetScaler Gateway appliances configured as SAML Identity Providers. The flaw (CVSS v4.0 9.3) allows unauthenticated attackers to leak memory contents via crafted SAMLRequest payloads. Citrix and security researchers urge immediate patching to the listed firmware releases and recommend checking NetScaler configurations for SAML IDP profiles.
read more →

Critical FortiClient EMS SQL Injection Now Exploited

🔴 Threat intelligence firm Defused reports active exploitation of a critical SQL injection in Fortinet FortiClient EMS, tracked as CVE-2026-21643. The vulnerability lets unauthenticated attackers inject SQL via the HTTP 'Site' header to the EMS web GUI, enabling arbitrary code or command execution on unpatched systems. Fortinet fixed the issue in 7.4.5; administrators must upgrade immediately and block public access to EMS interfaces. Defused observed first exploitation four days after discovery and Shodan/Shadowserver data indicate many publicly exposed instances.
read more →

Active Recon Targets Citrix NetScaler SAML IDP Flaw

🔍 A critical input-validation flaw in Citrix NetScaler ADC and NetScaler Gateway (CVE-2026-3055, CVSS 9.3) is being actively probed in the wild, security firms Defused Cyber and watchTowr report. The bug can cause memory overread and may leak sensitive data when appliances are configured as a SAML Identity Provider. Attackers are enumerating auth methods via /cgi/GetAuthMethods to identify vulnerable SAML IDP setups. Organizations should apply vendor patches immediately.
read more →

CISA Adds F5 BIG-IP CVE-2025-53521 to KEV After Exploitation

⚠️ CISA has added CVE-2025-53521 to its Known Exploited Vulnerabilities (KEV) list after evidence of active exploitation against F5 BIG-IP APM. The flaw, reclassified from a DoS to an RCE with a CVSS v4 score of 9.3, permits unauthenticated remote code execution when an APM access policy is configured on a virtual server. F5 published file, log, and traffic indicators and warned that webshells may run in memory. Organizations and FCEB agencies were directed to apply the vendor fixes by March 30, 2026.
read more →

Apple Issues Lock Screen Alerts for Outdated iOS and iPadOS

🔔 Apple has begun sending Lock Screen notifications to iPhones and iPads running older versions of iOS and iPadOS, warning users of active web-based attacks and urging them to install a critical update. The alert follows Apple guidance and reports of exploit kits — notably Coruna and DarkSword — used to deliver malware via compromised websites. Users unable to update are advised to enable Lockdown Mode where available. Apple says it is aware of attacks; Kaspersky analysis links Coruna to the Operation Triangulation framework, and researchers warn the kits could democratize zero-day exploits.
read more →

Critical Langflow RCE Exploited Hours After Disclosure

🚨 Attackers weaponized a critical Langflow remote code execution flaw within hours of disclosure, prompting CISA to add CVE-2026-33017 to its Known Exploited Vulnerabilities catalog. The issue stems from an unauthenticated build_public_tmp API endpoint that accepts workflow data and executes embedded Python code without sandboxing, enabling unauthenticated RCE on versions up to 1.8.2. Langflow released a fix in v1.9.0 and agencies are urged to patch by April 8, 2026.
read more →

CISA Warns: Critical Langflow RCE (CVE-2026-33017)

🔴 CISA warns that a critical code-injection vulnerability, CVE-2026-33017, in the Langflow AI workflow framework is being actively exploited for remote code execution. The flaw impacts Langflow versions 1.8.1 and earlier and can be triggered with a single crafted HTTP request due to unsandboxed flow execution, allowing attackers to build public flows without authentication. Administrators should upgrade to Langflow 1.9.0, disable or restrict the vulnerable endpoint, rotate keys and secrets, and avoid exposing Langflow directly to the internet. CISA added the issue to its Known Exploited Vulnerabilities list and set an April 8 deadline for agencies covered by BOD 22-01.
read more →

Rapid Weaponization of Critical Oracle WebLogic RCE

⚠ A critical Oracle WebLogic RCE (CVE-2026-21962, CVSS 10.0) was weaponized the same day public exploit code was released, a CloudSEK honeypot study found. The high-interaction honeypot, run between January 22 and February 3, 2026, recorded immediate automated scanning and exploitation attempts. Researchers also observed probes for older WebLogic flaws and widespread generic web reconnaissance. Organizations are urged to apply patches, restrict console access, deploy WAFs and monitor logs.
read more →

Coruna iOS Exploit Framework Linked to Triangulation

🔒 Coruna is an evolved iOS exploit framework tied to the earlier Operation Triangulation espionage campaign and now includes support for modern Apple silicon such as A17 and M3 chips and iOS builds up to 17.2. Kaspersky found five exploit chains leveraging 23 vulnerabilities, including CVE-2023-32434 and CVE-2023-38606, and determined parts of the kernel exploit are maintained revisions of Triangulation code. The attack begins via a Safari stager that fingerprints the device, selects tailored RCE and PAC exploits, downloads encrypted components decrypted with ChaCha20 and decompressed with LZMA, then loads payloads appropriate to ARM64/ARM64E architectures. Kaspersky also observed Coruna’s use in financially motivated campaigns that impersonate crypto exchanges; Apple has released fixes and users should apply updates promptly.
read more →

Coruna iOS Exploit Kit Reuses 2023 Triangulation Code

⚠️ Coruna, an iPhone exploit kit, repurposes an updated kernel exploit originally used in the 2023 Operation Triangulation campaign, according to Kaspersky. The kit targets iOS 13.0–17.2.1 devices with five full exploit chains and 23 exploits, fingerprinting Safari visitors and selecting tailored Mach-O loaders and payloads. Kaspersky warns the actively maintained, modular codebase now enables mass exploitation and broader criminal reuse, increasing risk to unpatched users.
read more →

PolyShell Exploits Hit 56% of Vulnerable Magento Stores

🔔 Mass exploitation of the PolyShell vulnerability in Magento Open Source and Adobe Commerce began on March 19, with Sansec reporting attacks on 56.7% of vulnerable stores within days of public disclosure. The issue resides in Magento’s REST API, which accepts file uploads for custom cart options and can allow polyglot files to enable remote code execution or account takeover via stored XSS when server configurations permit. Adobe released a patch in 2.4.9-beta1 on March 10, 2026, but no stable production fix is yet available; Sansec has published IPs and IOCs and warns of a WebRTC-based payment skimmer used in some intrusions.
read more →

GlassWorm Campaign Uses Solana Dead-Drops for RAT Operations

🔍 Cybersecurity researchers report a new GlassWorm evolution that delivers a multi-stage data theft framework and a remote access trojan (RAT) which force-installs a malicious Google Chrome extension masquerading as Google Docs Offline. The campaign gains initial access via rogue packages on npm, PyPI, GitHub and Open VSX, and resolves C2 addresses using Solana memos and public Google Calendar dead drops. A .NET component performs hardware wallet phishing when Ledger or Trezor devices are connected, while a WebSocket RAT harvests browser data, executes arbitrary JavaScript, and supports HVNC and SOCKS modules. Developers are urged to verify publishers and use scanning tools such as AFINE's glassworm-hunter.
read more →

Trivy supply-chain breach escalates into Lapsus$ extortion

🔐 A supply-chain compromise of Trivy has escalated into an extortion campaign linked to Lapsus$, with Mandiant reporting over 1,000 impacted enterprise SaaS environments and the potential for many more. Initial access by cloud-native actor TeamPCP led to stolen credentials that were used to backdoor packages and extend control to projects such as LiteLLM. Security firms Wiz and Socket describe malicious Docker and npm artifacts, a self-replicating worm, and manipulated CI/CD tags, while Aqua Security and partners work to rotate credentials and contain the incident.
read more →

Device Code Phishing Targets 340 Microsoft Orgs Globally

🔐 Huntress is tracking an active device code phishing campaign targeting Microsoft 365 identities at over 340 organizations across the US, Canada, Australia, New Zealand, and Germany. The attackers use Cloudflare Workers redirects and Railway.com-hosted infrastructure to harvest OAuth access and refresh tokens that remain valid after password resets. Sectors hit include construction, non-profits, real estate, manufacturing, finance, healthcare, legal and government.
read more →

PTC warns of imminent RCE threat in Windchill, FlexPLM

⚠️ PTC has alerted customers to a critical vulnerability (CVE-2026-4681) in Windchill and FlexPLM that could enable remote code execution via deserialization of trusted data. German authorities (BKA) have taken emergency action to warn organizations, citing an imminent threat. Patches are under development, and PTC published an Apache/IIS rule mitigation that denies access to the affected servlet path without breaking functionality. The vendor also released IoCs and detection guidance; if mitigation is not possible, prioritize disconnecting internet-facing instances or shutting down the service.
read more →