< ciso
brief />
Tag Banner

All news with #active exploitation tag

684 articles · page 15 of 35

Cloud Attacks Shift to Exploiting Newly Disclosed Flaws

⚠️ Google reports attackers increasingly exploit newly disclosed third‑party vulnerabilities to gain cloud access, with the exploitation window shrinking to days. Bug exploits, especially RCE flaws like React2Shell and XWiki, accounted for 44.5% of intrusions while credential-based breaches fell to 27%. Incidents include OIDC abuse via compromised packages, long-term espionage by state-linked groups, and insider-facilitated exfiltration, prompting calls for automated response.
read more →

Weekly Cybersecurity Recap: Exploits, Takedowns, Trends

🛡️ This week's roundup highlights major offensive operations, critical vulnerabilities, and notable law enforcement wins. Security firms and authorities dismantled the infrastructure behind Tycoon2FA and disrupted LeakBase, striking at large-scale AitM phishing and underground data markets. At the same time, researchers disclosed high-impact flaws — from a Qualcomm chipset exploit to the powerful Coruna iOS kit — underscoring persistent risk and the need for rapid patching. Prioritize the listed CVEs and accelerate triage and remediation.
read more →

Zero-Day Exploits on Enterprise Software Reach Record High

🛡️ Google Threat Intelligence Group (GTIG) analysis found 90 zero-day vulnerabilities were actively exploited in 2025, and attackers are increasingly focusing on enterprise technology. Enterprise software and appliances accounted for 43 (48%) of tracked zero-days, with security and networking appliances most frequently targeted. End-user platforms still comprised 52% of exploits overall, led by Microsoft Windows, while mobile OS targeting rose and browser-based zero-days fell to a historic low. GTIG recommends segmentation, least-privilege architectures and continuous monitoring to detect and respond to threats.
read more →

Zero-day Exploits Hit Enterprises Faster and Harder

⚠️ Google’s GTIG tracked 90 zero-day vulnerabilities in 2025, finding nearly half targeted enterprise technologies such as security appliances, VPNs, networking gear, and enterprise software. The report highlights that Chinese-linked actors increased their use of zero-days and that commercial surveillance vendors now outpaced state-backed groups. Defenders face shrinking response windows as exploit sharing, faster public-to-exploit timelines, and emerging AI accelerate attacks.
read more →

Critical WordPress plugin bug lets attackers create admins

⚠️ A critical vulnerability in the User Registration & Membership WordPress plugin (CVE-2026-1492, CVSS 9.8) is being actively exploited to create unauthenticated administrator accounts. The flaw allows attackers to supply a role during membership registration and obtain full admin privileges. Defiant's Wordfence blocked over 200 exploit attempts in the past 24 hours, indicating live attacks. WPEverest released a fix in 5.1.3 (the article notes 5.1.4 was released last week); update immediately or disable the plugin until you can patch.
read more →

Cisco Confirms Active Exploitation of SD‑WAN Manager Flaws

🔔Cisco has confirmed active exploitation of two vulnerabilities in Catalyst SD‑WAN Manager (formerly SD‑WAN vManage). CVE-2026-20122 (CVSS 7.1) permits an authenticated remote attacker with valid read‑only API credentials to overwrite arbitrary files on the local filesystem, while CVE-2026-20128 (CVSS 5.5) could allow an authenticated user to obtain Data Collection Agent (DCA) privileges. Cisco has released fixes across affected 20.x releases and urges immediate upgrades and mitigations such as restricting access, disabling HTTP, securing appliances behind firewalls, changing default passwords, and monitoring logs for unexpected activity.
read more →

Cisco Flags More Catalyst SD-WAN Flaws as Actively Exploited

🔔 Cisco has warned that two additional Catalyst SD-WAN Manager vulnerabilities — a high-severity arbitrary file overwrite (CVE-2026-20122) and a medium-severity information disclosure flaw (CVE-2026-20128) — are being actively exploited. The file-overwrite vulnerability can be triggered remotely by attackers with valid read-only API credentials; the information-disclosure issue requires local vManage credentials. Cisco says the flaws affect the software regardless of device configuration and urges administrators to upgrade to fixed releases immediately.
read more →

Surge in Camera Attacks Linked to Iranian Actors Regionwide

🎥 Check Point Research reported a surge of attempts to compromise internet‑connected surveillance cameras across the Middle East beginning 28 February, with additional focused activity in parts of Lebanon on 1 March. The campaign targeted Hikvision and Dahua devices, scanning for known authentication‑bypass and remote‑code‑execution flaws for which patches exist. Infrastructure attributed to Iran used commercial VPN exit nodes and VPS hosts. Recommended mitigations include removing WAN exposure, enforcing strong credentials, applying firmware updates, and segmenting cameras onto a dedicated VLAN.
read more →

CISA Adds VMware Aria Operations RCE to KEV Catalog

⚠️ CISA has added a high‑severity VMware Aria Operations flaw, CVE-2026-22719, to its Known Exploited Vulnerabilities (KEV) catalog after reports of active exploitation; the issue is an unauthenticated command injection that can allow arbitrary command execution and potential remote code execution. Broadcom released fixes for VMware Cloud Foundation, vSphere Foundation 9.0.2.0 and Aria Operations 8.18.6, and provided a shell-script workaround (aria-ops-rce-workaround.sh) for appliance nodes. Public details of in‑the‑wild exploitation and attribution remain scarce. Federal civilian agencies must apply the fixes by March 24, 2026.
read more →

CISA Flags VMware Aria Operations RCE as Exploited

🚨 CISA has added a VMware Aria Operations command injection flaw (CVE-2026-22719) to its Known Exploited Vulnerabilities catalog and is treating the issue as exploited in attacks. Broadcom says it is aware of reports of exploitation but cannot independently confirm them. VMware released patches on February 24 and provided a temporary workaround script (aria-ops-rce-workaround.sh) that disables vulnerable migration components; administrators should apply the updates or the workaround immediately.
read more →

LexisNexis Confirms Breach After Hackers Leak Files

🔒 LexisNexis has confirmed a breach after the threat actor FulcrumSec posted 2.04 GB of files allegedly exfiltrated from its AWS environment. The group says they exploited a React2Shell vulnerability in an unpatched React frontend container on February 24 to reach Redshift tables, VPC databases and plaintext Secrets Manager entries. LexisNexis characterizes the material as mostly legacy data from before 2020 and says it contained no Social Security numbers, driver’s license numbers, financial data, active passwords, customer search queries, client/matter data, or contracts.
read more →

Open-Source CyberStrikeAI Deployed in FortiGate Attacks

🚨 Security researchers say an open-source, AI-native offensive platform called CyberStrikeAI was used to automate mass scanning and exploitation of Fortinet FortiGate appliances, contributing to compromises of more than 600 devices across 55 countries. Team Cymru traced activity to a Russian-speaking actor after analyzing an IP address and observed 21 unique IPs running the tool between January 20 and February 26, 2026. The tool's GitHub maintainer, known as Ed1s0nZ, has published a range of exploitation and AI-jailbreak utilities and shows interactions with organizations linked to Chinese state cyber capabilities.
read more →

CISA Adds Two Known-Exploited Vulnerabilities to KEV Catalog

⚠️ CISA added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog on March 3, 2026, after observing evidence of active exploitation. The entries include CVE-2026-21385, a memory corruption issue impacting multiple Qualcomm chipsets, and CVE-2026-22719, a command injection vulnerability affecting Broadcom VMware Aria Operations. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate cataloged flaws by the required due dates; CISA also strongly urges all organizations to prioritize timely remediation. CISA will continue to add vulnerabilities that meet its KEV criteria.
read more →

Google Confirms Exploited Qualcomm Graphics Flaw in Android

⚠ Google confirmed that CVE-2026-21385, a high-severity buffer over-read in a Qualcomm graphics component used on Android devices, has been observed exploited in the wild. Qualcomm characterizes the defect as an integer overflow that permits memory corruption when user-supplied data is written without checking buffer space. The issue (CVSS 7.8) was reported to Qualcomm by Google's Android Security team on December 18, 2025, and customers were notified on February 2, 2026. Google’s March 2026 security bulletin includes this fix among 129 patches and notes indications of limited, targeted exploitation.
read more →

CyberStrikeAI Adopted by Hackers for AI-Powered Attacks

🔍 Researchers warn that the open-source platform CyberStrikeAI was observed on infrastructure linked to a recent campaign that compromised hundreds of Fortinet FortiGate devices. Team Cymru analysts identified the service banner on port 8080 at 212.11.64[.]250 and saw communications between that host and targeted FortiGate appliances. The platform integrates over 100 security tools with AI agents to automate end-to-end attack chains, enabling lower-skilled operators to carry out complex exploitation.
read more →

Critical macOS ExifTool Vulnerability CVE-2026-3102

⚠️ Kaspersky's GReAT discovered a critical flaw, CVE-2026-3102, in ExifTool that can execute embedded shell commands when processing crafted image metadata on macOS if ExifTool is invoked with the -n/--printConv flag. The issue affects ExifTool versions 13.49 and earlier and can be exploited in automated workflows or apps that bundle the library. Update to ExifTool 13.50 immediately, isolate processing of untrusted files, and verify third-party tools do not include older copies of the library.
read more →

APT28 Tied to CVE-2026-21513 MSHTML Zero-Day Exploit

🔍 Akamai links the Russia-linked actor APT28 to exploitation of CVE-2026-21513, a high-severity (CVSS 8.8) MSHTML security feature bypass that Microsoft patched in its February 2026 update. The flaw in ieframe.dll mishandles hyperlink navigation and can be weaponized by malicious HTML or LNK files to invoke ShellExecuteExW and run resources outside the browser sandbox. Akamai identified a sample uploaded to VirusTotal on 30 January 2026 tied to infrastructure associated with APT28, while Microsoft and Google intelligence teams reported real-world exploitation.
read more →

Over 900 FreePBX Instances Remain Infected with Web Shells

⚠ The Shadowserver Foundation reports that more than 900 FreePBX instances remain infected with web shells after exploitation of the CVE-2025-64328 post-auth command injection flaw. The vulnerability (CVSS 8.6) affects versions >=17.0.2.36 and was fixed in 17.0.3; recommended mitigations include restricting access to the Administration Control Panel, updating the filestore module, and applying available updates. Fortinet links active exploitation since December 2025 to the INJ3CTOR3 actor delivering an EncystPHP web shell that enables arbitrary shell execution as the asterisk user and can initiate outbound call activity via compromised PBX instances.
read more →

CISA: RESURGE Malware Can Remain Dormant on Ivanti Devices

🔒 CISA warns that the RESURGE implant can remain latent on Ivanti Connect Secure devices, evading detection by awaiting a specific inbound TLS connection rather than beaconing to a command-and-control server. The 32-bit Linux Shared Object libdsupgrade.so hooks the web process, inspects TLS packets using a CRC32 fingerprint, and authenticates attackers with a forged Ivanti certificate. The agency notes related tools like liblogblock.so for log tampering and a kernel extraction script, and it urges administrators to use updated IoCs and hashes to discover and remove dormant infections.
read more →

Maximum-Severity Cisco SD-WAN Zero-Day Actively Exploited

🔒 A maximum-severity vulnerability in Cisco Catalyst SD-WAN, tracked as CVE-2026-20127 (CVSS 10.0), lets an unauthenticated remote attacker bypass authentication and obtain elevated administrative privileges by sending a crafted request. Cisco reports active exploitation across on-prem and Cisco-hosted deployments by a sophisticated actor identified as UAT-8616, with malicious activity dating to 2023. Customers should apply vendor fixes immediately, audit /var/log/auth.log for unexpected "Accepted publickey for vmanage-admin" entries, and follow CISA emergency guidance.
read more →