< ciso
brief />
Tag Banner

All news with #active exploitation tag

684 articles · page 13 of 35

Microsoft: IRS-themed Phishing Hits 29,000, RMM Abused

⚠️Microsoft reported large-scale IRS-themed phishing campaigns in February 2026 that targeted more than 29,000 users across 10,000 organizations, using tax refund, payroll and W‑2 lures to harvest credentials and deliver remote access tools. Attackers leveraged Phishing-as-a-Service kits (notably Energy365 and SneakyLog/Kratos) and abused legitimate RMM products such as ScreenConnect, Datto, and SimpleHelp to maintain persistent access. Microsoft advises enforcing 2FA, applying conditional access, and blocking malicious domains and payloads to reduce exposure.
read more →

Attackers Exploit CVE-2025-32975 to Hijack KACE SMA

🚨 Arctic Wolf reported exploitation of CVE-2025-32975 (CVSS 10.0), an authentication-bypass in Quest KACE Systems Management Appliance (SMA), against internet-exposed instances beginning the week of March 9, 2026. Attackers impersonated administrative users, executed remote commands to download Base64 payloads via curl from an external host, and created additional admin accounts using runkbot.exe. Observed post-compromise activity included Windows Registry modifications, credential harvesting with Mimikatz, reconnaissance, and RDP access to backup systems and domain controllers. Administrators should apply the May 2025 fixes and avoid exposing SMA directly to the internet.
read more →

Trivy Supply-Chain Breach Pushes Infostealer via GitHub

🛡️ The Trivy vulnerability scanner was compromised in a supply-chain attack that injected an infostealer into official releases and GitHub Actions. Researchers attribute the campaign to TeamPCP, which trojanized the trivy binary (v0.69.4) and replaced GitHub Action entrypoints, affecting many trivy-action tags. The malware harvested a broad range of credentials, exfiltrated data to a typosquatted C2, and deployed persistence on infected hosts. Organizations using affected versions should assume full compromise and rotate secrets immediately.
read more →

Trivy scanner backdoored in supply-chain compromise

⚠ The widely used Trivy vulnerability scanner and its official GitHub Actions were backdoored after attackers injected a credential‑stealing payload into official releases, the trivy-action and setup-trivy components, and published binaries. The malware harvests pipeline secrets by reading process memory and searching filesystems for SSH keys, cloud credentials, Kubernetes tokens, Docker configs, and wallets, exfiltrating encrypted data to a typosquatted domain or, failing that, by creating a public repository named tpcp-docs. Researchers say the intrusion followed an earlier compromise and incomplete credential rotation that let attackers regain access via insecure GitHub Actions; victims should rotate secrets immediately and pin Actions to full commit SHAs. Known safe versions include Trivy v0.69.3, trivy-action tag 0.35.0, and setup-trivy 0.2.6.
read more →

Oracle issues emergency patch for Identity Manager RCE

🛡️ Oracle has released an out-of-schedule security update to fix a critical unauthenticated remote code execution vulnerability, tracked as CVE-2026-21992, that affects Oracle Identity Manager and Oracle Web Services Manager. Oracle says the flaw is low complexity, exploitable remotely over HTTP without authentication or user interaction. The company strongly recommends applying patches or mitigations immediately and notes fixes via the Security Alert program are limited to supported versions.
read more →

Critical Langflow RCE (CVE-2026-33017) Exploited Fast

⚠️ The Langflow open-source tool contains a critical vulnerability, CVE-2026-33017 (CVSS 9.3), that allows unauthenticated remote code execution via a POST endpoint that accepts attacker-supplied Python in the request payload. The flaw affects all versions up to and including 1.8.1 and is addressed in the development branch (1.9.0.dev8). Exploitation was observed within 20 hours of public disclosure; operators should apply updates, rotate secrets, and restrict access immediately.
read more →

CISA Orders Feds to Patch Critical Cisco FMC Flaw by Sunday

⚠️ CISA has directed Federal Civilian Executive Branch agencies to patch CVE-2026-20131 in Cisco Secure Firewall Management Center by Sunday, March 22, citing active exploitation and maximum severity. Cisco says the web-based management interface suffers insecure deserialization that can allow an unauthenticated remote attacker to execute arbitrary Java code as root. The vendor published updates and warned there are no available workarounds; administrators should apply fixes immediately.
read more →

Hackers Exploit Critical Langflow RCE Within 20 Hours

🔐 Sysdig reported that threat actors exploited a critical unauthenticated remote code execution vulnerability (CVE-2026-33017) in Langflow within 20 hours of the advisory publication. The flaw, rated CVSS 9.3, allows execution of arbitrary Python via a single HTTP request and requires no credentials. Attackers built functional exploits from the advisory despite no public PoC, scanned broadly, and exfiltrated keys, database credentials and cloud secrets. Sysdig warns organizations must accelerate patching and rethink vulnerability programs.
read more →

Apple Warns Older iPhones Vulnerable to Web Exploit Kits

🔒 Apple is urging users on older versions of iOS to update immediately after reporting that web-based exploit kits such as Coruna and DarkSword have been used to deliver data-stealing malware via compromised sites. Apple says devices running the latest releases (iOS 15 through 26) are not affected, and has released targeted patches for legacy hardware. For devices that cannot be updated, Apple recommends specific interim updates and enabling Lockdown Mode to reduce exposure.
read more →

54 EDR Killers Use BYOVD to Exploit 34 Signed Drivers

🔒 A new ESET analysis identified 54 EDR-killer tools that leverage BYOVD, abusing 34 signed vulnerable drivers to gain kernel-mode privileges and neutralize endpoint protection. These utilities are frequently reused in ransomware operations to disable defenses prior to encryption, decoupling evasion from the encryptor. ESET recommends blocking misused drivers and adopting layered detection to mitigate the threat.
read more →

ThreatsDay: FortiGate RaaS, Citrix Exploits & Phish

🔔 ThreatsDay Bulletin highlights a wave of pragmatic, stealthy intrusions and abuse of lingering edge vulnerabilities. Notable findings include a nascent RaaS named The Gentlemen exploiting CVE-2024-55591 against FortiGate, a chained pre-auth RCE in BMC FootPrints, and active campaigns targeting Citrix NetScaler. The briefing underscores how small, well-crafted techniques— from deep-link MCP abuse to Teams phishing—are enabling remote access and data theft.
read more →

CISA Adds Cisco FMC Deserialization Flaw to KEV Catalog

⚠️ CISA has added CVE-2026-20131 to the Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The vulnerability involves deserialization of untrusted data in Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management. This class of flaw is a common attack vector and poses significant risk. CISA reminds Federal Civilian Executive Branch agencies to remediate per BOD 22-01 and urges all organizations to prioritize timely remediation as part of normal vulnerability management.
read more →

Critical Microsoft SharePoint Flaw Now Exploited in Attacks

🔴 The Cybersecurity and Infrastructure Security Agency (CISA) warned that a critical deserialization vulnerability in Microsoft SharePoint, tracked as CVE-2026-20963, is being exploited in the wild. The flaw affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition and can allow unauthenticated remote code execution on unpatched servers. Microsoft patched the issue during January Patch Tuesday but has not labeled it as exploited; CISA added the vulnerability to its actively exploited catalog and ordered federal agencies to remediate by March 21.
read more →

Interlock Ransomware Exploits Cisco FMC Zero-Day Patch Alert

🔒 AWS analysis reveals that the Interlock ransomware group has exploited CVE-2026-20131, a critical RCE in the web-based management interface of Cisco Secure Firewall Management Center (FMC), in active attacks since January 26. The flaw can permit an unauthenticated attacker to execute arbitrary Java code as root and carries a 10.0 CVSS score. AWS recommends applying Cisco patches, reviewing IoCs and hunting for PowerShell staging, custom Java/JavaScript RATs, memory-resident webshells and unauthorized ScreenConnect deployments.
read more →

CISA Alerts: Zimbra, SharePoint Flaws Actively Exploited

⚠ CISA has urged federal agencies to apply patches for two actively exploited vulnerabilities affecting Synacor Zimbra Collaboration Suite and Microsoft Office SharePoint. Zimbra's Classic UI suffered a stored XSS (CVE-2025-66376) patched in versions 10.0.18 and 10.1.13 in November 2025, while SharePoint had a deserialization RCE (CVE-2026-20963) fixed in January 2026. CISA set FCEB patching deadlines and reported no public attribution or scale; separately, Amazon detailed exploitation of a Cisco firewall-management zero-day (CVE-2026-20131) by the Interlock ransomware group.
read more →

CISA Orders Federal Patch for Zimbra XSS Flaw Exploited

⚠️ CISA has ordered Federal Civilian Executive Branch agencies to remediate an actively exploited stored cross-site scripting vulnerability in the Zimbra Collaboration Suite, tracked as CVE-2025-66376. The flaw in the Classic UI can be abused via CSS @import directives in HTML emails by remote, unauthenticated attackers to execute arbitrary JavaScript, risking session hijack and data exfiltration. Agencies were given until April 1 under BOD 22-01, and all organizations are urged to apply vendor patches or available mitigations immediately.
read more →

Interlock Ransomware Exploits Cisco FMC Zero-Day Campaign

🛡️ Amazon Threat Intelligence identified an active Interlock ransomware campaign exploiting CVE-2026-20131 in Cisco Secure Firewall Management Center, with exploitation observed beginning January 26, 2026—36 days before Cisco publicly disclosed the flaw on March 4, 2026. A misconfigured attacker-controlled staging server exposed Interlock's full operational toolkit, including custom remote access trojans, reconnaissance scripts, a fileless Java webshell, and infrastructure-laundering scripts. Organizations running Cisco Secure FMC should immediately apply Cisco patches, review the provided indicators of compromise, and hunt for signs of lateral movement and data staging.
read more →

Nine IP KVM Vulnerabilities Allow Remote Full Host Control

🔒 Eclypsium researchers disclosed nine vulnerabilities in low-cost IP KVM devices from GL-iNet, Angeet/Yeeso, Sipeed, and JetKVM. The most severe flaws can allow unauthenticated attackers to gain root or execute arbitrary code and operate at BIOS/UEFI levels, enabling keystroke injection, booting from removable media, and persistence beyond OS defenses. Some vendors have issued firmware fixes, but critical issues in Angeet ES3 remain unpatched. Administrators should apply available updates, isolate KVMs, and enforce stronger access controls.
read more →

Vidar Stealer 2.0 Delivered via Fake Game Cheats on GitHub

🎮 Acronis TRU found hundreds of GitHub repositories posing as "free" game cheats that deliver the Vidar 2.0 infostealer, warning the true number of malicious repos could be in the thousands. Campaigns begin in game-focused Discord and Reddit communities and use PS2EXE-compiled PowerShell loaders to evade basic detections. Loaders add Windows Defender exclusions, fetch secondary payload URLs from Pastebin linking to GitHub-hosted binaries, and deploy a Themida-packed Vidar executable that establishes persistence via scheduled tasks. The payload then harvests credentials, tokens and files and exfiltrates them through C2 infrastructure masked by Telegram bots and Steam dead-drop resolvers.
read more →

ClickFix Campaign Distributes New In-Memory Infostealers

🛡️ Rapid7 and Microsoft researchers have documented a ClickFix operation that compromised over 250 WordPress sites to distribute fileless infostealers using counterfeit Cloudflare CAPTCHA prompts. The injected JavaScript hides from administrators and coerces visitors into pasting obfuscated commands that launch an in-memory DoubleDonut loader, which injects payloads into legitimate Windows processes. Observed payloads include a new Vidar variant and two previously undocumented stealers—Impure Stealer (.NET) and VodkaStealer (C++)—both using advanced encoding, encryption and sandbox-detection checks. Site owners are urged to restrict public admin access, tighten credentials and apply the published IOCs and YARA rules.
read more →