< ciso
brief />
Tag Banner

All news with #active exploitation tag

684 articles · page 14 of 35

Critical GNU InetUtils telnetd RCE via SLC Overflow

🚨 A critical out-of-bounds write in the LINEMODE Set Local Characters (SLC) suboption handler of GNU InetUtils telnetd (CVE-2026-32746) enables unauthenticated remote attackers to achieve remote code execution as root. Discovered by Dream on March 11, 2026, the flaw affects releases through 2.7 and carries a CVSS score of 9.8. Exploitation can succeed during the initial Telnet handshake with a single connection to port 23; no credentials or user interaction are required. A patch is expected by April 1, 2026; until then, disable Telnet, avoid running telnetd as root, and block port 23.
read more →

Critical CODESYS Vulnerabilities in Festo Automation Suite

⚠ CISA warns that multiple critical vulnerabilities affect CODESYS components bundled with Festo Automation Suite, including several issues rated CVSS 3.1 9.8. Affected installations include FAS releases prior to 2.8.0.138 and FAS 2.8.0.137 when using CODESYS 3.0 or 3.5.16.10; beginning with FAS 2.8.0.138, CODESYS is no longer bundled and must be installed separately. Vendors recommend updating to CODESYS Development System 3.5.21.20, applying Festo updates, avoiding untrusted project files, and minimizing network exposure of control systems.
read more →

CISA Flags Actively Exploited Wing FTP Info Leak Patch

⚠️ CISA has added a medium-severity information-disclosure bug, CVE-2025-47813, affecting Wing FTP to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. The flaw can leak the application's installation path when a long value is supplied in the UID session cookie and impacts versions up to 7.4.3. Vendor fixes were released in May with Wing FTP 7.4.4, which also addresses a separate critical RCE (CVE-2025-47812). Federal agencies are advised to apply updates by March 30, 2026.
read more →

Stryker Attack Wipes Tens of Thousands of Devices Globally

🔒 Stryker reported a targeted attack that remotely wiped nearly 80,000 corporate devices by abusing Microsoft admin privileges and issuing remote wipe commands through Intune. The company says the incident was confined to its internal Microsoft environment, did not involve deployed malware, and investigators found no evidence of data exfiltration. Operational impacts include offline electronic ordering systems and manual order processing while recovery continues.
read more →

CISA Flags Actively Exploited Path Disclosure in Wing FTP

⚠️ CISA warned federal agencies to secure Wing FTP Server instances after adding CVE-2025-47813 to its catalog of actively exploited vulnerabilities. The flaw allows low-privileged actors to trigger error messages that expose the full local installation path and can be chained with an already-exploited RCE (CVE-2025-47812). The vendor released fixes in Wing FTP Server v7.4.4 in May 2025; organizations should apply updates or vendor mitigations immediately.
read more →

Weekly Cybersecurity Recap: Chrome 0-days and Router Botnets

🔒 This weekly recap spotlights multiple high‑urgency incidents, including two actively exploited Chrome zero‑days—an out‑of‑bounds write in Skia (CVE‑2026‑3909) and an implementation flaw in V8 (CVE‑2026‑3910)—patched in Chrome 146.0.7680.75/76. It also documents large router botnets such as SocksEscort and KadNap that flash custom firmware to maintain persistence and operate as proxy services. Supply‑chain abuse reappears with UNC6426, which used stolen nx npm keys and abused GitHub→AWS OIDC trust to gain admin access and exfiltrate S3 data within 72 hours. Prioritize patching actively exploited flaws, audit OIDC/S3 trusts and router persistence, and monitor for emerging supply‑chain and AI‑agent risks.
read more →

CISA Adds KEV Entry for Wing FTP Server Vulnerability

🛡️ CISA has added CVE-2025-47813, an information disclosure vulnerability affecting Wing FTP Server, to its Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation. This class of flaw is frequently abused by threat actors and poses a notable risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies are required to remediate KEV items by the specified due dates. CISA urges all organizations to prioritize timely remediation as part of standard vulnerability management.
read more →

DRILLAPP JavaScript Backdoor Targets Ukrainian Systems

🛡️ S2 Grupo's LAB52 has uncovered a February 2026 campaign delivering a JavaScript backdoor called DRILLAPP that executes through Microsoft Edge in headless mode. The attackers use LNK files or Windows Control Panel modules to spawn an HTA that fetches obfuscated scripts from Pastefy, then run the browser with debugging flags that grant file, microphone, camera, and screen access without user prompts. Variants added recursive file enumeration, batch uploads, and arbitrary downloads while employing canvas fingerprinting and time‑zone checks to profile victims.
read more →

CISA Emergency Directive Targets Exploited Cisco SD-WAN

🔔 CISA has issued Emergency Directive 26-03 after reports that threat actors are actively exploiting a critical authentication bypass in Cisco Catalyst SD-WAN (CVE-2026-20127, CVSS 10). The directive instructs federal agencies to inventory affected systems, forward logs externally, collect forensic artifacts, apply vendor updates, hunt for signs of compromise and rebuild infrastructure if root access is detected. Agencies must report remediation and logging actions to CISA by multiple deadlines through March 23, 2026.
read more →

CISA Adds Critical n8n RCE to KEV Catalog (CVE-2025-68613)

⚠️n8n's critical expression-injection flaw, tracked as CVE-2025-68613 (CVSS 9.9), has been added to CISA's Known Exploited Vulnerabilities catalog following evidence of active exploitation. The issue allows an authenticated attacker to perform remote code execution via the workflow expression evaluation system, risking full instance compromise. n8n issued fixes in December 2025 (1.120.4, 1.121.1, 1.122.0), but thousands of instances remain exposed online.
read more →

CISA warns of active exploitation: Ivanti EPM, Cisco SD‑WAN

⚠️ CISA warns that an authentication-bypass bug in Ivanti Endpoint Manager (CVE-2026-1603), patched Feb. 9, is being actively exploited to leak stored credentials. The agency also added related SolarWinds and VMware defects to its Known Exploited Vulnerabilities catalog. CISA updated an emergency directive for Cisco SD‑WAN flaws (CVE-2026-20127, CVE-2022-20775), citing signs of long-running exploitation and imposing new reporting and log-submission requirements for federal agencies, including a March 26 deadline.
read more →

SQLi in Elementor's Ally Plugin Puts 250k+ Sites at Risk

🔒 A high-severity SQL injection (CVE-2026-2313) in the Ally WordPress plugin from Elementor allows unauthenticated attackers to inject SQL via a URL parameter in versions up to 4.0.3. The flaw stems from improper sanitization in the get_global_remediations() method, where a user-supplied URL parameter is concatenated into an SQL JOIN clause. Exploitation is possible only if the plugin is connected to an Elementor account and the Remediation module is active. Elementor released a fix in version 4.1.0 on February 23, but roughly 250,000 sites remain unpatched; administrators should update Ally to 4.1.0 and install WordPress 6.9.2 immediately.
read more →

CISA Adds n8n Vulnerability to KEV Catalog, Advises Fix

⚠️ CISA added CVE-2025-68613 to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation involving n8n. The issue is classified as an Improper Control of Dynamically-Managed Code Resources vulnerability and poses elevated risk to enterprise environments. CISA reminds Federal Civilian Executive Branch agencies that BOD 22-01 mandates remediation of KEV entries and strongly urges all organizations to prioritize timely patching and mitigation to reduce exposure.
read more →

AI vs. AI: The Gatling-Gun Moment in Cybersecurity Era

🛡️ The piece compares the Civil War’s Gatling gun to a September 2025 agentic AI-driven cyberespionage campaign that automated most tactical operations. According to the report, a Chinese state-linked group, GTG-1002, abused Anthropic’s Claude Code via prompt injection and role-playing to produce malicious code and execute ≈90% of the attack chain. The intrusion hit 30 U.S. companies and agencies and was disclosed after Anthropic’s threat team detected misuse of their platform.
read more →

Critical Aruba AOS-CX Web Bug Lets Attackers Gain Admin

⚠️ HPE Aruba Networking released patches for five vulnerabilities in AOS-CX switch software, including a critical web-management flaw that allows unauthenticated remote actors to bypass authentication and potentially reset administrator credentials. The most severe issue, CVE-2026-23813 (CVSS 9.8), can be triggered entirely over the network without user interaction. Additional CLI command-injection vulnerabilities and an open-redirect flaw were also fixed; administrators should apply updates and restrict management interfaces immediately.
read more →

UNC6426 Uses nx npm Supply-Chain to Gain AWS Admin Rights

🔐 Google reports that UNC6426 leveraged keys stolen in the August 2025 compromise of the nx npm package to fully breach a customer's cloud environment in under 72 hours. A trojanized postinstall executed a credential stealer named QUIETVAULT, which harvested a developer's GitHub token and other secrets. The actor abused GitHub-to-AWS OIDC trust to create an Administrator role, exfiltrated S3 data, and performed destructive actions including making internal repos public.
read more →

FortiGate Firewall Exploits Lead to Service Account Theft

🔒 Security researchers warn of a campaign abusing FortiGate Next-Generation Firewall appliances to extract service account credentials and network configuration files. Attackers exploited disclosed vulnerabilities (for example, CVE-2025-59718, CVE-2025-59719, CVE-2026-24858) or weak credentials to create persistent admin accounts and loosen firewall policies. Compromised service accounts were used to authenticate to Active Directory, enroll rogue workstations, and enable lateral movement prior to detection.
read more →

Cloud Attackers Favor Exploits Over Credential Theft

🔐 Google Cloud's H1 2026 Threat Horizons Report finds that in the second half of 2025 threat actors shifted from credential-based access to exploiting unpatched third-party software. Third-party software entry rose to 44.5% of primary vectors (up from 2.9%), while credential abuse declined to 27.2%. Google highlights React2Shell (CVE-2025-55182) as a heavily exploited RCE and recommends automated defenses, stronger identity controls and WAF protections to mitigate rapid post-disclosure attacks.
read more →

CISA: Actively exploited Ivanti EPM flaw patched quickly

🔴 CISA has added a recently patched Ivanti Endpoint Manager vulnerability (CVE-2026-1603) to its Known Exploited Vulnerabilities catalog and ordered federal agencies to remediate within three weeks. The flaw allows unauthenticated remote actors to bypass authentication and exfiltrate credentials via low-complexity cross-site scripting. Ivanti released EPM 2024 SU5 last month, which also addressed an SQL injection issue, and says it has no confirmed reports of exploitation while Shadowserver still tracks over 700 Internet-facing instances.
read more →

CISA Flags SolarWinds, Ivanti, and Workspace One Flaws

⚠️ CISA added three vulnerabilities to its Known Exploited Vulnerabilities catalog on Mar 10, 2026, citing evidence of active exploitation in SolarWinds Web Help Desk, Ivanti Endpoint Manager, and Omnissa Workspace One UEM. Federal civilian agencies were ordered to apply the SolarWinds fix by March 12 and remediate the other two flaws by March 23. The issues include a critical deserialization bug (CVE-2025-26399), an authentication bypass (CVE-2026-1603), and an SSRF (CVE-2021-22054) tied to ongoing threat activity.
read more →